memberOf configured via directory based model
by Todd Reed
I've been stumped for two weeks now trying to implement the memberOf
Overlay via directory based model. I even tried it via a slapd.con file
and still had trouble. Here is my installation steps on Ubuntu. Is
anyone able to spot where I'm going wrong with my configurations?
################
# Setup OpenLDAP
################
sudo apt-get -y install slapd ldap-utils
cd /etc/ldap
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f
/etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo vi db.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module {0}
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
olcModuleload: {1}memberof.la
# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcRootDN: cn=admin,dc=mydomain,dc=com
olcRootPW: password
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
sudo slappasswd -h {MD5}
sudo vi base.ldif
dn: dc=mydomain,dc=com
objectClass: dcObject
objectclass: organization
o: mydomain.com
dc: mydomain
description: My LDAP Root
dn: cn=admin,dc=mydomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}gdyb21LQTcIANtvYMT7QVQ==
description: LDAP administrator
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
sudo vi config.ldif
dn: cn=config
changetype: modify
delete: olcAuthzRegexp
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootDN
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}gdyb21LQTcIANtvYMT7QVQ==
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif
sudo vi acl.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=mydomain,dc=com" write by anonymous auth by self write
by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
sudo ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif
13 years, 4 months
sizelimit doesn't seem to be reflected into "ldap" backends?
by Jason Haar
Hi there
I'm wanting to use slapd as a "LAF" - LDAP Application Firewall - to
filter and log calls to our backend Active Directory LDAP network.
I've just slapd doing the job just fine - except that it can't return
large LDAP data dumps... If I use "ldapsearch -E pr=900/noprompt"
directly against an AD LDAP server, I can get it to dump everything.
However, if I do the same command against a slapd proxy, I get the "size
exceeded" error message. It appears slapd doesn't understand this
extension, and isn't passing it on to the backend?
Any ideas how I could get around this, besides saying we need to touch
our AD to get rid of the size limit (I've already thought of that :-)
Thanks
Jason
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
13 years, 4 months
Re: ppolicy : managing passwords by another user than root
by smainklh@free.fr
Hi Buchan,
I'm not trying to manage password policies through php. I just had a problem to give the rights of changing passwords to a user.
i figured it out now by modifying the acl's.
Here is a sample of my slapd.conf:
>>>>>>>>CUT<<<<<<<<<<<<<
# Default password policy
overlay ppolicy
ppolicy_default cn=default,ou=policies,o=others,dc=domain,dc=tld
ppolicy_hash_cleartext
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# The base of your directory in database #1
suffix "dc=domain,dc=tld"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=domain,dc=tld"
rootdn "cn=admin,dc=domain,dc=tld"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>CUT<<<<<<<<<<<<
# org1 administrators have all the rights on the subtree ou=Users,o=org1,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
by dn="cn=admin.org1,o=others,dc=domain,dc=tld" write
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld"
by dn="cn=admin.org1,o=others,dc=domain,dc=tld" manage
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous read
by * none
# org2 administrators have all the rights on the subtree ou=Users,o=org2,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
by dn="cn=admin.org2,o=others,dc=domain,dc=tld" write
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld"
by dn="cn=admin.org2,o=others,dc=domain,dc=tld" manage
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous read
by * none
####
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=auth,o=others,dc=domain,dc=tld" read
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
And my password policy :
ldapsearch -Wx -H ldaps://ldap.domain.tld -D cn=admin,dc=domain,dc=tld -b o=others,dc=domain,dc=tld cn=default
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=others,dc=domain,dc=tld> with scope subtree
# filter: cn=default
# requesting: ALL
#
# default, policies, others, domain.tld
dn: cn=default,ou=policies,o=others,dc=domain,dc=tld
pwdAttribute: userPassword
pwdLockout: TRUE
pwdLockoutDuration: 10800
pwdMaxFailure: 5
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: TRUE
pwdMinLength: 8
pwdMaxAge: 15552000
pwdExpireWarning: 15120000
pwdCheckQuality: 2
pwdInHistory: 4
Now it works, sorry i should have provided you more information. I'll do it next time.
Regards,
Grifith
----- Mail Original -----
De: "Buchan Milne" <bgmilne(a)staff.telkomsa.net>
À: openldap-technical(a)openldap.org
Cc: "Smaïne Kahlouch" <smainklh(a)free.fr>
Envoyé: Vendredi 5 Février 2010 11h02:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: ppolicy : managing passwords by another user than root
On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote:
> Could somebody help me please ?
With what?
> I'm asking a last time then i would have to use my root account within
> my php code :/ (no secure at all)
Assuming your message is relevant to the subject of this thread, php is a dead
end, as it has no password policy control. I have some perl scripts to manage
password-policy changes.
Regards,
Buchan
13 years, 4 months
ppolicy : managing passwords by another user than root
by Smaïne Kahlouch
Hi everyone,
I'm trying to allow a user to change the passwords of users in a
specific subtree.
For exemple :
The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change
the passwords of users in the following directory :
ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password
policy the user uid=admin-sales can't change passwords anymore. The only
user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root
to manage passwords with ppolicy enabled?
Regards,
Grifith
13 years, 4 months
LDAP/Kerberos client config
by Jaap Winius
Hi all,
Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
I'm attempting to devise a suitable (Debian lenny) client setup for it.
Although I hear that it may not be the best approach, I'm currently
pursuing a client configuration that includes kstart, libnss-ldap,
nscd and libpam-ldap. At the moment I'm happy with all of it except
libnss-ldap.
Kstart has no problem obtaining an initial Kerberos ticket, but I
can't get libnss-ldap to use it to access the DIT. So far my
libnss-ldap.conf looks like:
base dc=example,dc=com
uri ldap://ldapks1.example.com/
ldap_version 3
rootuse_sasl yes
krb5_ccname FILE:/tmp/krb5cc_0
Any idea what I might be missing?
Thanks,
Jaap
13 years, 4 months
>Proxy Just Binds/Authentications from another LDAP?
by Don Hoover
Well, I have been working on this question and have had an idea.
Would a way to accomplish this is by using SASL? It took me about 10 minutes to figure out how to configure saslauthd to verify binds to the other LDAP server.
Openldap can use SASL right? So I just need to get slapd to use SASL to verify the binds to the other external ldap server.
So I would have:
ldapclient bind request-> openldap slapd -> SASL-> external ldap server bind
Is this a good idea?
I don't see how to make slapd use the sasl server for this though, the only examples I can find are to use kerberos.
Any ideas on how to get slapd to just use sasl like I have it setup?
13 years, 4 months
Check for attributs modifications
by David LEROUX
Hi all,
I'd like to know if there is an easy way to monitor attributes
modification ?
In fact I import my users accounts, automount maps and almost everything
from nismaps every hour with padl scripts (a bit modified by me).
So each time scripts imports entries, it don't care if the entry already
exist or not, it try to create it, which results in a lot of errors
(existing entries...).
Furthermore, for now, if I want to modify an entry I have to do it myself...
What I'd like to do, is to supervise created or updated entry, so that I
can focus only on those one...
I thought about something like replog but I'm not sure that's the good
way to do it...
Any help is welcome,
13 years, 4 months
OpenLDAP Log files
by sgmayo@mail.bloomfield.k12.mo.us
One of my teachers decided to move things around and plugged a network
cable in the wrong place causing a network loop and it seems to have ended
up corrupting my ldap database.
Where are the log files from slapd at and/or how do I read them?
I did a 'slapd -d -1' and the pages just keep flying by and never stop
without a ctrl-c. I have run a slapd_db_recover on this Fedora 10 box,
but that did not seem to fix the problem I guess.
I did slapcat the directory to an ldif file yesterday, but I am wondering
if it did not already contain some bad data. I may see if I can slapadd
it back in if ldap does not have to be running. If it does then I will
have to do something else.
Thanks for any info. Took me 7 hours to track down the intermittent
problems yesterday since it seemed to be server problems and now I am
starting out again on the same track it seems.
--
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
13 years, 4 months
Problem with chain overlay
by Klaus Nagel
Hello, I have a little problem with the chain overlay and hope, someone
can help me. I have a master and a slave server (both debian lenny with
openldap 2.4.11) and a normal syncrepl replication between both, but I
can't get the chain working.
my slave slapd.conf entries:
moduleload back_ldap
overlay chain
chain-uri "ldap://10.8.0.1:389/"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod=simple
binddn="cn=admin,dc=test,dc=de"
credentials=testpw
mode=self
chain-tls start
chain-return-error TRUE
if i try to delete an entry with ldapdelete on the slave server:
ldapdelete -xD "cn=admin,dc=test,dc=de" -w testpw
cn=abc,ou=Verteiler,dc=test,dc=de
Log from slave server:
conn=1 fd=13 ACCEPT from IP=127.0.0.1:48451 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" method=128
conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de"
conn=1 op=1 RESULT tag=107 err=8 text=
conn=1 op=2 UNBIND
conn=1 fd=13 closed
Log from master server:
conn=83 fd=15 ACCEPT from IP=10.8.0.2:44720 (IP=0.0.0.0:389)
conn=83 op=0 BIND dn="" method=128
conn=83 op=0 RESULT tag=97 err=0 text=
conn=83 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de"
conn=83 op=1 RESULT tag=107 err=8 text=modifications require authentication
conn=83 op=2 UNBIND
conn=83 fd=15 closed
...it seems to me, that the bind-dn will not be transmitted and I don't
see any start-tls entries.
...any hints for me?
best regards: Klaus
13 years, 4 months
Proxy Just Binds/Authentications from another LDAP?
by Don Hoover
I have been reading how to use slapd-ldap, and one thing that is not clear is if its possible just to proxy bind's.
I have a LDAP directory that has all the unix posix accounts info in it for our users, but we have another LDAP server that has all the applications info and passwords for the users and is what should be doing all the actual authentication.
What I would like to do is let the NIX systems get their unix account data from our LDAP server(/etc/passwd data etc), but proxy the bind requests generated from the user logins to the other LDAP server for authentication from the LDAP server that the system is pointed at for the posix account data.
Is it possible just to force regular bind requests only to the other LDAP server and use that to authenticate our users?
Most of the examples I have seen are all about using the proxy features of slapd-ldap to provide the actual data from the other LDAP server seamlessly, and not really for using that backed proxied LDAP server to just authenticate the binds.
Any ideas?
---
Don Hoover
dxh(a)yahoo.com
13 years, 4 months
