December 2010 - openldap-technical

by Quanah Gibson-Mount

--On Monday, December 13, 2010 7:51 PM -0200 Friedrich Locke <friedrich.locke(a)gmail.com> wrote: > Excuse me Mr. Quanah, > > but where do you download BDB 4.4.x from ? If you want help, keep your replies to the list. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

10 years, 3 months

1
0
0 / 0

Mac OS X OpenLDAP allows anonymous access to all fields

by RAT

I am experimenting with authenticating users off of OpenLDAP. The default deployment from Apple seems to be (at least in my case) completely wide open. I have been trying to find a ACI to block access to the password value. Does anyone have any good resources on this or, better yet, an ACI I can apply? Robert Threet http://yesistilluseperl.blogspot.com/ ____________________________________________________________ Obama Urges Homeowners to Refinance If you owe under $729k you probably qualify for Obama's Refi Program http://thirdpartyoffers.netzero.net/TGL3231/4d0648688b054664b76st03duc

10 years, 3 months

2
1
0 / 0

Re: Mac OS X OpenLDAP allows anonymous access to all fields

by RAT

I have SSHA1 working, but still not comfortable with this being visible via LDAP query. http://www.openldap.org/doc/admin24/security.html What are others doing to harden the default install? Robert Threet http://yesistilluseperl.blogspot.com/ ---------- Original Message ---------- From: "RAT" <robert3t(a)netzero.net> To: openldap-technical(a)openldap.org Subject: Mac OS X OpenLDAP allows anonymous access to all fields Date: Mon, 13 Dec 2010 16:22:44 GMT I am experimenting with authenticating users off of OpenLDAP. The default deployment from Apple seems to be (at least in my case) completely wide open. I have been trying to find a ACI to block access to the password value. Does anyone have any good resources on this or, better yet, an ACI I can apply? Robert Threet http://yesistilluseperl.blogspot.com/ ____________________________________________________________ How to Fall Asleep? Cambridge Researchers have developed an all natural sleep aid just for you. http://thirdpartyoffers.netzero.net/TGL3231/4d065f00159b66954dest06duc

10 years, 3 months

1
0
0 / 0

push replication with proxy and rwm overlay

by Gwenn Gueguen

Hi all, I'm trying to set up push replication from master to slave through a proxy with rwm overlay. Master, proxy and slave are OpenLDAP 2.4.11 from debian lenny. On the slave, I don't want samba related attributes so I used the attrs param on syncrepl to only get attributes I want but entries still have sambaSamAccount or sambaGroupMapping as objectClass. I tried using the rwm overlay to remove these references to samba in objectclass but it did not work and I still get the following error when proxy tries to add the entries on the slave: error code 0x15: objectClass: value #3 invalid per syntax Here is the proxy configuration: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/authldap.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel -1 modulepath /usr/lib/ldap moduleload back_ldap moduleload syncprov moduleload rwm database ldap suffix "..." rootdn "cn=admin,..." uri ldap://ldap-dmz # Save the time that the entry gets modified, for database #1 lastmod on #We don't need any access to this DSA restrict all overlay rwm rwm-map objectclass inetOrgPerson * rwm-map objectclass posixAccount * rwm-map objectclass shadowAccount * rwm-map objectclass organizationalPerson * rwm-map objectclass person * rwm-map objectclass posixGroup * # rwm-map objectclass sambaSamAccount # rwm-map objectclass sambaGroupMapping rwm-map objectclass * acl-bind bindmethod=simple idassert-bind bindmethod=simple binddn="cn=admin,..." credentials="secret" syncrepl rid=001 provider=ldap://ldap attrs="@inetOrgPerson,@posixAccount,@shadowAccount,@organizationalPerson,@person" bindmethod=simple searchbase="ou=people,..." type=refreshAndPersist retry="60 +" interval=00:00:01:00 schemachecking=off syncrepl rid=002 provider=ldap://ldap attrs="@posixGroup" bindmethod=simple searchbase="ou=groups,..." type=refreshAndPersist retry="60 +" interval=00:00:01:00 schemachecking=off overlay syncprov I tried upgrading OpenLdap on the proxy to 2.4.17 from backports and also upgraded to squeeze with OpenLdap 2.4.23 but I still get the error. Am I doing something wrong or is rwm buggy ? Thanks, -- Gwenn

10 years, 3 months

1
1
0 / 0

Ordering of shadowExpire values

by Antonio Batovanja

From nis.schema: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) If I add ORDERING integerOrderingMatch to shadowExpire, I can use a range filter like (&(objectclass=shadowaccount)(shadowexpire>=1000)) What else can I do to be able to use a range filter? I don't like changing standard schemas... Cheers, Toni

10 years, 3 months

1
0
0 / 0

debugging memberOf overlay

by c0re

Hello all! Trying to get memberOf overlay working. Added to slapd.conf "overlay memberof" Restarted slapd. Checked that overlay loaded # slaptest -d 1 ............. config_build_entry: "olcOverlay={1}memberof" ............. Then added 1 user and 2 groups via ldif: dn: cn=test,ou=users,dc=domain,dc=local sn: test cn: test uid: test objectClass: inetOrgPerson objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: radiusprofile uidNumber: 5555 gidNumber: 5555 homeDirectory: /home/test givenName: test loginShell: /bin/sh shadowMin: 0 shadowMax: 999 shadowWarning: 7 shadowInactive: -1 shadowExpire: 0 shadowFlag: 0 dialupAccess: yes dn: cn=testgroup,ou=servers,dc=domain,dc=local objectclass: groupOfNames cn: testgroup member: cn=test,ou=users,dc=domain,dc=local dn: cn=maingroup,ou=servers,dc=domain,dc=local objectclass: groupOfNames cn: maingroup member: cn=testgroup,ou=servers,dc=domain,dc=local And made # ldapsearch -x -D "cn=admin,dc=domain,dc=local" -b "dc=domain,dc=local" -W "(cn=test)" memberOf # extended LDIF # # LDAPv3 # base <dc=domain,dc=local> with scope subtree # filter: (cn=test) # requesting: memberOf # # test, users, domain.local dn: cn=test,ou=users,dc=domain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 As you see - no memberOf in users attrs. I got no ideas why... By that I wanted to test output of ldapsearch to check will there be two or one memberOf attrs. Thanks!

10 years, 3 months

1
2
0 / 0

Oddities with searching for a specific value of an attribute

by Sebastian Urbanneck

Sorry for this weird topic, but I didn't know how to name this one. These are the facts: we're using the phamm.schema from the PHAMM Project for saving virtual domain entries in our Ldap database. Searching for them is mostly no pronblem, but one specific circumstance is bothering me to death: when I try to search for a specific value of the attribute "vd", the corresponding entry is not always found. Any other attribute does the trick, but vd does'nt. For example: the search for (using the root_dn) ldapsearch -x -W -D "cn=admin,dc=uebergebuehr,dc=de" -b "ou=domains,dc=uebergebuehr,dc=de" "(vd=*) -s"one" produces following output: ---------output------------- # extended LDIF # # LDAPv3 # base <vd=lak-hessen.de,ou=domains,dc=uebergebuehr,dc=de> with scope baseObject # filter: (vd=*) # requesting: ALL # # lak-hessen.de, domains, uebergebuehr.de dn: vd=lak-hessen.de,ou=domains,dc=uebergebuehr,dc=de vd: lak-hessen.de lastChange: 1291723263 maxMail: 100 maxAlias: 100 maxQuota: 100 accountActive: TRUE editAV: TRUE delete: FALSE postfixTransport: dovecot objectClass: top objectClass: VirtualDomain description: lak-hessen.de # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ------------------------------------- This is true for everytime I put a Wildcard (*) into the search pattern, and with scope "sub" there's also no matter in which part of the tree above this entry I am. But when I'm searching specificly for the value (lak-hessen.de) nothin is found, no matter in which entry I am and which scope use. Strangely this pattern _is_ found when you go into the entry of the domain itself (vd=lak-hessen.de,ou=domains,...) and search with scobe 'base'. Any idea what I'm doing wrong? Or is this a bug? I think ACLs are ruled out because of using the root_dn. I didn't want to file a Bug before being reallly sure that this is one regards Sebastian

10 years, 3 months

2
2
0 / 0

slapcat, PROXIED attributeDescription inserted, and cron jobs

by btb＠bitrate.net

hi- i'm running slapcat from a daily cron job to back up cn=config and other databases. i've recently updated from 2.4.21 to 2.4.23, and notice now in the output of slapcat, messages such as >slapcat -b 'cn=config' -l 'config.ldif' > /dev/null PROXIED attributeDescription "OU" inserted. PROXIED attributeDescription "DC" inserted. a bit of searching seems to indicate that these shouldn't be cause for concern, and are just informative messages. since these messages are written to stderr, cron sends email every time it runs slapcat. if they're not errors, do they maybe belong in stdout rather than stderr? alternatively, can these messages be suppressed? according to the man page, there doesn't appear a way to do so. thanks -ben

10 years, 4 months

4
4
0 / 0

x500UniqueIdentifier

by Juan Gonzalez

Hi, I'm trying to insert userCertificate values containing x500UniqueIdentifiers. When the value appears at the SubjectNames, it inserts correctly. By this I assume there is a validation for the field formatting. When I have a x500UniqueIdentifier at the IssuerNames it fails to insert. Is there a specific place where valid attributes and syntaxes for IssuerNames should be declared? Thanks Jgcardoso.

10 years, 4 months

3
3
0 / 0

slapd 2.4.23 SASL/GSSAPI problem

by Matej Zagiba

Hello everybody, I'm running debian squeeze (testing) with openldap 2.4.23 and MIT kerberos 1.8.3 KDC. I had functinal SASL/GSSAPI authentication configured, but recently it stopped working. I cannot be realy sure, but I suspect upgrade from openldap 2.4.22 is the cause. In logs I see lots of this: SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm) I added sasl-realm option but it did not helped. All other kerberos applications works without problem. Is there any (new) SASL option I missed? Or it's a bug in 2.4.23? Thanks for any help. Matej Zagiba

10 years, 4 months

2
5
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2010