openldap-technical December 2010

openldap-technical@openldap.org

82 participants
96 discussions

Unable to authenticate with "secondary" uids, slapd 2.4.23, centos5.5
by Chan Wilson 16 Dec '10

16 Dec '10

Hi all, I have several LDAP trees and installs (2.4.23, centos 5.5, bdb) that utilize "secondary" uids as the sites are in the process of migrating user IDs. In essence, allowing both "user" and "user.name" to authenticate as the same "user" account: dn: uid=user,ou=people,dc=example,dc=com uid: user uid: user.name This has all been working beautifully since inception with 2.4.21. However, "something changed" either at the O/S level or slapd level to break this, and I'm at a loss as to what to look at next. When doing an ldapsearch -D with the "secondary" uid, it fails, and the server-side has a return from bdb_dn2id -- "get failed: DB_NOTFOUND: No matching key/data pair found (-30988)", which implies that the BDB index file for uid doesn't contain the additional uids. Not sure how to look at that, slapd_db_dump doesn't reveal anything human-parsable. Does this ring any bells? Was it just a fluke that this worked? thanks, --Chan

2 1

problem with ldap_search _ext and ldap_result
by siva prakash 16 Dec '10

16 Dec '10

After binding the ldap server, here are my code snippets, finished = 0; rc = ldap_search_ext( ld, "testactivedirectory.com", sub_tree, "(sAMAccountName=user1)", NULL, 0, NULL, NULL, NULL, 1, &msgid ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_search_ext: %s \n", ldap_err2string( rc ) ); ldap_unbind( ld ); return( 1 ); } while (!finished) { rc = ldap_result( ld, msgid, LDAP_MSG_ONE, &zerotime, &res ); printf("check the search result :%d\n", rc); switch ( rc ) { case -1: fprintf( stderr, "ldap_result: %s\n", ldap_err2string( rc ) ); ldap_unbind( ld ); return( 1 ); case 0: break; case LDAP_RES_SEARCH_ENTRY: /* Get and print the DN of the entry. */ if (( dn = ldap_get_dn( ld, res )) != NULL ) { printf( "dn-> %s\n", dn ); ldap_memfree( dn ); } break; case LDAP_RES_SEARCH_RESULT: finished = 1; break; default: break; } } while running this program, i could get the intended result what the distinguished name i want, but the ldap_result in not being exit with LDAP_RES_SEARCH_RESULT option. it tooks lot of time to respond with LDAP_RES_SEARCH_RESULT, even no more entry to provide. check the search result :100 dn-> CN=user1,CN=Users,DC=testactivedirectory,DC=com (it waits in looop... it exits after a very long time) check the search result :101 i wanted to avoid this waiting time, even i have been sending entries should be limited to 1, it doesn't seems to be reflected, i have found other way of fixing this, doing two bind and two unbind option. but that is not seems a optimized manner. Let me know how to fix this problem, Thanks, LDAP Learner

1 0

openldap and kerberos integration
by Thierry Lacoste 16 Dec '10

16 Dec '10

Hello, I'm experimenting with integrating Kerberos and OpenLDAP following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT I'm using CentOS and Buchan Milne's repository (http://staff.telkomsa.net/packages/rhel5/ ) both for OpenLDAP and Heimdal. I've almost succeeded except for password integration. It seems that the smbk5pwd module provided by openldap2.4- servers-2.4.22-1.el5 in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support. With "smbk5pwd-enable krb5" I have the following error: /etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable> module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5. What is the easiest option to get a kerberos supporting smbk5pwd? BTW I'd appreciate any recommandations about providing kerberos and LDAP authentication (with the same password) in a production setting. Should I use Heimdal or MIT kerberos ? If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or let Kerberos use its native backend? If OpenLDAP as a backend, is it better to use {K5KEY} as the userPassword or let smbk5pwd synchronize everything? Best regards, Thierry

4 11

Re: Re: how to analysis openldap log
by owen nirvana 16 Dec '10

16 Dec '10

> > I could not find apis for analysising log. > > > > Thanks for help! > What kind of log are you referring to? > syslog, log database or monitor database? log databasem, the files like log.000000x in /var/ldap/ gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

2 1

how to implement default groups?
by Judd Maltin 15 Dec '10

15 Dec '10

Hi folks, how to implement default groups? I'd like to setup a "default" group entry that automatically includes the bindDN as a member. Better yet, I'd like to indicate a regex for members of the group. There's all sorts of nice things that can be done with ACLs, but they're irrelevant. And there's nothing in dynlist or other overlays that will help me. Am I barking up the wrong tree? Thanks, -judd -- Judd Maltin T: 917-882-1270 T: 888-639-4614 F: 501-694-7809 Gratitude is the end of despair and the beginning of joy.

1 0

New Attributes, ACL, and Indices
by Andy Carlson 15 Dec '10

15 Dec '10

I have recently added a few new attributes to an existing object class (this was a custom object class, not an out-of-the-box one). I also created a few olcAccess (ACL) entries to enable access to these new attributes and olcDbIndex entries to index the values of the attributes. I added all of these using the cn=config directory structure containers. It is my understanding that unless I modify schema/ldif files on the server that these changes will be lost upon server/service restart. I have the idea that these are the correct folder, but since I've never done this before I'm seeking confirmation/direction. The ACLs and Indices appear to be located in the /opt/<Server-Instance>/common/setup folder. In this folder there is an olcAccess.bdb.ldif file (which appears to hold the ACLs). There's also an LDIF file for the frontend and monitor container located within cn=config. The attributes appear to be located in the /opt/<Server-Instance>1/etc/openldap/schema.mbi folder (mbi is an identifier for our organization). In this folder there is a file named mbiUser.schema (mbiUser is the custom object class). I suspect that this is where the attributes would be stored. Again, this is a non-exhaustive listing of a few things that caught my eye. Let me know if you have any thoughts or suggestions. Thanks much, Andy Carlson Identity Administrator | Information Systems Moody Bible Institute 820 N. LaSalle Blvd., Chicago, IL 60610 312-329-4385 www.moodyministries.net<http://www.moodyministries.net> >From the Word. To Life.

1 0

PAM Filtering Not working with CRYPT Passwds
by Anton Chu 15 Dec '10

15 Dec '10

I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable host based authentication/filtering. I have some ubuntu 10.10 ldap clients that requires filtering. All my ldap users have passwords in crypt format that I have converted to an ldif file using the PADL migration.pl scripts. After importing them into my ldap server, the pam filtering wasn't working; however, when I changed the passwords from crypt to clear or md5 or sha1, filtering worked fine. The question is how can I get filtering to work with {CRYPT} password hashing? cat /etc/ldap.conf | grep -v ^# | grep -v ^$ > base dc=web,dc=net > uri ldap://10.112.18.2 > ldap_version 3 > rootbinddn cn=admin,dc=web,dc=net > bind_policy soft > pam_filter |(host=webdev120)(host=\*) > nss_initgroups_ignoreusers > backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data > > cat common-auth | grep -v ^# | grep -v ^$ > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_ldap.so use_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > cat common-account | grep -v ^# | grep -v ^$ > account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so > account [success=1 default=ignore] pam_ldap.so > account requisite pam_deny.so > account required pam_permit.so > cat common-password | grep -v ^# | grep -v ^$ > password [success=2 default=ignore] pam_unix.so obscure sha512 > password [success=1 user_unknown=ignore default=die] pam_ldap.so > use_authtok try_first_pass > password requisite pam_deny.so > password required pam_permit.so >

1 0

How Indexes work?
by Steeg Carson 15 Dec '10

15 Dec '10

Hello, I try to understand, how the LDAP-Indexes work. If I configure a Index for a Attribute like: index myAttribute eq the index file myAttribute.bdb is build in the data directory. When I search then ldapsearch -x -h localhost -D".." -b"<baseDN>" "(myAttribute=<searched key>)" how will the LDAP-Server process this request? Is there anywhere a good documentation? My assumption is: * At first, a the Index is looked up. The result are only the matched IDs. * The LDAP-Server now can quick give back all entires form id2enty.bdb If I use Indexes, are all other entires are examined too after give back the result from indexes? I have a database, and my search is like shown above. The search takes long. The cache is configured, the size is enough (approx. dn2id.bdb + id2entry.bdb). But what I see, is that the write IO from LDAP is enormously (seen with iotop). During the whole search, the write IO is higher than the read IO. Why? Thanks for help. Steeg

1 0

Debugging syncrepl
by Angel L. Mateo 15 Dec '10

15 Dec '10

Hello, I've configured 2 ldap servers (2.4.21, from ubuntu 10.04 package) in a master-master configuration. The configuration I have is: {0}rid=004 provider=ldap://ldap1.mydomain.com binddn="<replicauser>" bindmethod=simple credentials=<replicapass> searchbase="<dc=mydomain>" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1 {1}rid=005 provider=ldap://ldap2.mydomain.com binddn="<relicauser>" bindmethod=simple credentials=<replicapass> searchbase="<dc=mydomain>" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1 I have an oclAccess like: {3}to dn.subtree=<dc=mydomain> by group.exact=<admingroup> manage ... by * none break Replica user belongs to group <admingroup>, so it has complete access to the directory. I have also a limit like: {1}group=<admingroup> time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited so it has no limits. The problem is that I'm loading the directory with a lot of entries (about 109000). After all the load process (I've done it in ldap2, with ldapadd commands) I have all the entries in ldap2, but I have a few less in ldap1 (about 107000). How could I debug the problem? I have tried later to remove from ldap2 an entry that it isn't at ldap1, and then add it again and the replication is done, so I don't know why it hasn't been replicated the first time. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337

1 0

Syncrepl attrs selection
by Raphael Ordinas 15 Dec '10

15 Dec '10

Hi everyone, I'm facing a minor problem with syncrepl. I'd like to tell syncrepl to sync all attributs but the one specified. Is this possible ? Thanks Raphael

2 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2010