Unable to authenticate with "secondary" uids, slapd 2.4.23, centos5.5
by Chan Wilson
Hi all,
I have several LDAP trees and installs (2.4.23, centos 5.5, bdb) that
utilize "secondary" uids as the sites are in the process of migrating user
IDs. In essence, allowing both "user" and "user.name" to authenticate as
the same "user" account:
dn: uid=user,ou=people,dc=example,dc=com
uid: user
uid: user.name
This has all been working beautifully since inception with 2.4.21. However,
"something changed" either at the O/S level or slapd level to break this,
and I'm at a loss as to what to look at next. When doing an ldapsearch -D
with the "secondary" uid, it fails, and the server-side has a return from
bdb_dn2id -- "get failed: DB_NOTFOUND: No matching key/data pair found
(-30988)", which implies that the BDB index file for uid doesn't contain the
additional uids. Not sure how to look at that, slapd_db_dump doesn't reveal
anything human-parsable.
Does this ring any bells? Was it just a fluke that this worked?
thanks,
--Chan
10 years, 4 months
problem with ldap_search _ext and ldap_result
by siva prakash
After binding the ldap server, here are my code snippets,
finished = 0;
rc = ldap_search_ext( ld, "testactivedirectory.com", sub_tree,
"(sAMAccountName=user1)", NULL, 0, NULL, NULL, NULL, 1, &msgid );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "ldap_search_ext: %s \n", ldap_err2string(
rc ) );
ldap_unbind( ld );
return( 1 );
}
while (!finished)
{
rc = ldap_result( ld, msgid, LDAP_MSG_ONE, &zerotime, &res
);
printf("check the search result :%d\n", rc);
switch ( rc ) {
case -1:
fprintf( stderr, "ldap_result: %s\n",
ldap_err2string( rc ) );
ldap_unbind( ld );
return( 1 );
case 0:
break;
case LDAP_RES_SEARCH_ENTRY:
/* Get and print the DN of the entry. */
if (( dn = ldap_get_dn( ld, res )) != NULL )
{
printf( "dn-> %s\n", dn );
ldap_memfree( dn );
}
break;
case LDAP_RES_SEARCH_RESULT:
finished = 1;
break;
default:
break;
}
}
while running this program, i could get the intended result what the
distinguished name i want, but the ldap_result in not being exit with
LDAP_RES_SEARCH_RESULT option. it tooks lot of time to respond with
LDAP_RES_SEARCH_RESULT, even no more entry to provide.
check the search result :100
dn-> CN=user1,CN=Users,DC=testactivedirectory,DC=com
(it waits in looop... it exits after a very long time)
check the search result :101
i wanted to avoid this waiting time, even i have been sending entries should
be limited to 1, it doesn't seems to be reflected,
i have found other way of fixing this, doing two bind and two unbind option.
but that is not seems a optimized manner.
Let me know how to fix this problem,
Thanks,
LDAP Learner
10 years, 4 months
openldap and kerberos integration
by Thierry Lacoste
Hello,
I'm experimenting with integrating Kerberos and OpenLDAP
following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
I'm using CentOS and Buchan Milne's repository (http://staff.telkomsa.net/packages/rhel5/
)
both for OpenLDAP and Heimdal.
I've almost succeeded except for password integration.
It seems that the smbk5pwd module provided by openldap2.4-
servers-2.4.22-1.el5
in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support.
With "smbk5pwd-enable krb5" I have the following error:
/etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable>
module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5.
What is the easiest option to get a kerberos supporting smbk5pwd?
BTW I'd appreciate any recommandations about providing kerberos and
LDAP authentication (with the same password) in a production setting.
Should I use Heimdal or MIT kerberos ?
If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or
let Kerberos use its native backend?
If OpenLDAP as a backend, is it better to use {K5KEY} as the
userPassword or let smbk5pwd synchronize everything?
Best regards,
Thierry
10 years, 4 months
Re: Re: how to analysis openldap log
by owen nirvana
> > I could not find apis for analysising log.
> >
> > Thanks for help!
> What kind of log are you referring to?
> syslog, log database or monitor database?
log databasem, the files like log.000000x in /var/ldap/
gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>
10 years, 4 months
how to implement default groups?
by Judd Maltin
Hi folks,
how to implement default groups?
I'd like to setup a "default" group entry that automatically includes the
bindDN as a member. Better yet, I'd like to indicate a regex for members of
the group. There's all sorts of nice things that can be done with ACLs, but
they're irrelevant. And there's nothing in dynlist or other overlays that
will help me. Am I barking up the wrong tree?
Thanks,
-judd
--
Judd Maltin
T: 917-882-1270
T: 888-639-4614
F: 501-694-7809
Gratitude is the end of despair and the beginning of joy.
10 years, 4 months
New Attributes, ACL, and Indices
by Andy Carlson
I have recently added a few new attributes to an existing object class (this was a custom object class, not an out-of-the-box one). I also created a few olcAccess (ACL) entries to enable access to these new attributes and olcDbIndex entries to index the values of the attributes. I added all of these using the cn=config directory structure containers. It is my understanding that unless I modify schema/ldif files on the server that these changes will be lost upon server/service restart.
I have the idea that these are the correct folder, but since I've never done this before I'm seeking confirmation/direction.
The ACLs and Indices appear to be located in the /opt/<Server-Instance>/common/setup folder. In this folder there is an olcAccess.bdb.ldif file (which appears to hold the ACLs). There's also an LDIF file for the frontend and monitor container located within cn=config.
The attributes appear to be located in the /opt/<Server-Instance>1/etc/openldap/schema.mbi folder (mbi is an identifier for our organization). In this folder there is a file named mbiUser.schema (mbiUser is the custom object class). I suspect that this is where the attributes would be stored.
Again, this is a non-exhaustive listing of a few things that caught my eye.
Let me know if you have any thoughts or suggestions. Thanks much,
Andy Carlson
Identity Administrator | Information Systems
Moody Bible Institute
820 N. LaSalle Blvd., Chicago, IL 60610
312-329-4385
www.moodyministries.net<http://www.moodyministries.net>
>From the Word. To Life.
10 years, 4 months
PAM Filtering Not working with CRYPT Passwds
by Anton Chu
I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable
host based authentication/filtering. I have some ubuntu 10.10 ldap clients
that requires filtering. All my ldap users have passwords in crypt format
that I have converted to an ldif file using the PADL migration.pl scripts.
After importing them into my ldap server, the pam filtering wasn't working;
however, when I changed the passwords from crypt to clear or md5 or sha1,
filtering worked fine. The question is how can I get filtering to work with
{CRYPT} password hashing?
cat /etc/ldap.conf | grep -v ^# | grep -v ^$
>
base dc=web,dc=net
> uri ldap://10.112.18.2
> ldap_version 3
> rootbinddn cn=admin,dc=web,dc=net
> bind_policy soft
> pam_filter |(host=webdev120)(host=\*)
> nss_initgroups_ignoreusers
> backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
>
> cat common-auth | grep -v ^# | grep -v ^$
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_ldap.so use_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
>
cat common-account | grep -v ^# | grep -v ^$
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account [success=1 default=ignore] pam_ldap.so
> account requisite pam_deny.so
> account required pam_permit.so
>
cat common-password | grep -v ^# | grep -v ^$
> password [success=2 default=ignore] pam_unix.so obscure sha512
> password [success=1 user_unknown=ignore default=die] pam_ldap.so
> use_authtok try_first_pass
> password requisite pam_deny.so
> password required pam_permit.so
>
10 years, 4 months
How Indexes work?
by Steeg Carson
Hello,
I try to understand, how the LDAP-Indexes work.
If I configure a Index for a Attribute like:
index myAttribute eq
the index file myAttribute.bdb is build in the data directory.
When I search then
ldapsearch -x -h localhost -D".." -b"<baseDN>" "(myAttribute=<searched
key>)"
how will the LDAP-Server process this request?
Is there anywhere a good documentation?
My assumption is:
* At first, a the Index is looked up. The result are only the matched IDs.
* The LDAP-Server now can quick give back all entires form id2enty.bdb
If I use Indexes, are all other entires are examined too after give back the
result from indexes?
I have a database, and my search is like shown above. The search takes long.
The cache is configured, the size is enough
(approx. dn2id.bdb + id2entry.bdb).
But what I see, is that the write IO from LDAP is enormously (seen with
iotop). During the whole search, the write IO is higher than the read IO.
Why?
Thanks for help.
Steeg
10 years, 4 months
Debugging syncrepl
by Angel L. Mateo
Hello,
I've configured 2 ldap servers (2.4.21, from ubuntu 10.04 package) in a
master-master configuration. The configuration I have is:
{0}rid=004 provider=ldap://ldap1.mydomain.com binddn="<replicauser>"
bindmethod=simple credentials=<replicapass> searchbase="<dc=mydomain>"
type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1
{1}rid=005 provider=ldap://ldap2.mydomain.com binddn="<relicauser>"
bindmethod=simple credentials=<replicapass> searchbase="<dc=mydomain>"
type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1
I have an oclAccess like:
{3}to dn.subtree=<dc=mydomain>
by group.exact=<admingroup> manage
...
by * none break
Replica user belongs to group <admingroup>, so it has complete access
to the directory.
I have also a limit like:
{1}group=<admingroup> time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
so it has no limits.
The problem is that I'm loading the directory with a lot of entries
(about 109000). After all the load process (I've done it in ldap2, with
ldapadd commands) I have all the entries in ldap2, but I have a few less
in ldap1 (about 107000).
How could I debug the problem?
I have tried later to remove from ldap2 an entry that it isn't at
ldap1, and then add it again and the replication is done, so I don't
know why it hasn't been replicated the first time.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
10 years, 4 months
Syncrepl attrs selection
by Raphael Ordinas
Hi everyone,
I'm facing a minor problem with syncrepl.
I'd like to tell syncrepl to sync all attributs but the one specified.
Is this possible ?
Thanks
Raphael
10 years, 4 months