openldap-technical February 2010

openldap-technical@openldap.org

59 participants
64 discussions

memberOf configured via directory based model
by Todd Reed 05 Feb '10

05 Feb '10

I've been stumped for two weeks now trying to implement the memberOf Overlay via directory based model. I even tried it via a slapd.con file and still had trouble. Here is my installation steps on Ubuntu. Is anyone able to spot where I'm going wrong with my configurations? ################ # Setup OpenLDAP ################ sudo apt-get -y install slapd ldap-utils cd /etc/ldap sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo vi db.ldif # Load dynamic backend modules dn: cn=module{0},cn=config objectClass: olcModuleList cn: module {0} olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb olcModuleload: {1}memberof.la # Create the database dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mydomain,dc=com olcRootDN: cn=admin,dc=mydomain,dc=com olcRootPW: password olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif sudo slappasswd -h {MD5} sudo vi base.ldif dn: dc=mydomain,dc=com objectClass: dcObject objectclass: organization o: mydomain.com dc: mydomain description: My LDAP Root dn: cn=admin,dc=mydomain,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {MD5}gdyb21LQTcIANtvYMT7QVQ== description: LDAP administrator sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif sudo vi config.ldif dn: cn=config changetype: modify delete: olcAuthzRegexp dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify delete: olcRootDN dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {MD5}gdyb21LQTcIANtvYMT7QVQ== dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif sudo vi acl.ldif dn: olcDatabase={1}hdb,cn=config add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=mydomain,dc=com" write by * read sudo ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif

2 1

sizelimit doesn't seem to be reflected into "ldap" backends?
by Jason Haar 05 Feb '10

05 Feb '10

Hi there I'm wanting to use slapd as a "LAF" - LDAP Application Firewall - to filter and log calls to our backend Active Directory LDAP network. I've just slapd doing the job just fine - except that it can't return large LDAP data dumps... If I use "ldapsearch -E pr=900/noprompt" directly against an AD LDAP server, I can get it to dump everything. However, if I do the same command against a slapd proxy, I get the "size exceeded" error message. It appears slapd doesn't understand this extension, and isn't passing it on to the backend? Any ideas how I could get around this, besides saying we need to touch our AD to get rid of the size limit (I've already thought of that :-) Thanks Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

2 1

Re: ppolicy : managing passwords by another user than root
by smainklh＠free.fr 05 Feb '10

05 Feb '10

Hi Buchan, I'm not trying to manage password policies through php. I just had a problem to give the rights of changing passwords to a user. i figured it out now by modifying the acl's. Here is a sample of my slapd.conf: >>>>>>>>CUT<<<<<<<<<<<<< # Default password policy overlay ppolicy ppolicy_default cn=default,ou=policies,o=others,dc=domain,dc=tld ppolicy_hash_cleartext overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # The base of your directory in database #1 suffix "dc=domain,dc=tld" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=domain,dc=tld" rootdn "cn=admin,dc=domain,dc=tld" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>>>>>CUT<<<<<<<<<<<< # org1 administrators have all the rights on the subtree ou=Users,o=org1,dc=domain,dc=tld access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" attrs=userPassword,shadowLastChange by dn="cn=admin.org1,o=others,dc=domain,dc=tld" write by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" by dn="cn=admin.org1,o=others,dc=domain,dc=tld" manage by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous read by * none # org2 administrators have all the rights on the subtree ou=Users,o=org2,dc=domain,dc=tld access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" attrs=userPassword,shadowLastChange by dn="cn=admin.org2,o=others,dc=domain,dc=tld" write by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" by dn="cn=admin.org2,o=others,dc=domain,dc=tld" manage by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous read by * none #### access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=auth,o=others,dc=domain,dc=tld" read by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none And my password policy : ldapsearch -Wx -H ldaps://ldap.domain.tld -D cn=admin,dc=domain,dc=tld -b o=others,dc=domain,dc=tld cn=default Enter LDAP Password: # extended LDIF # # LDAPv3 # base <o=others,dc=domain,dc=tld> with scope subtree # filter: cn=default # requesting: ALL # # default, policies, others, domain.tld dn: cn=default,ou=policies,o=others,dc=domain,dc=tld pwdAttribute: userPassword pwdLockout: TRUE pwdLockoutDuration: 10800 pwdMaxFailure: 5 objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAllowUserChange: TRUE pwdMinLength: 8 pwdMaxAge: 15552000 pwdExpireWarning: 15120000 pwdCheckQuality: 2 pwdInHistory: 4 Now it works, sorry i should have provided you more information. I'll do it next time. Regards, Grifith ----- Mail Original ----- De: "Buchan Milne" <bgmilne(a)staff.telkomsa.net> À: openldap-technical(a)openldap.org Cc: "Smaïne Kahlouch" <smainklh(a)free.fr> Envoyé: Vendredi 5 Février 2010 11h02:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: ppolicy : managing passwords by another user than root On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote: > Could somebody help me please ? With what? > I'm asking a last time then i would have to use my root account within > my php code :/ (no secure at all) Assuming your message is relevant to the subject of this thread, php is a dead end, as it has no password policy control. I have some perl scripts to manage password-policy changes. Regards, Buchan

1 0

ppolicy : managing passwords by another user than root
by Smaïne Kahlouch 05 Feb '10

05 Feb '10

Hi everyone, I'm trying to allow a user to change the passwords of users in a specific subtree. For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld. I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user). Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled? Regards, Grifith

5 6

LDAP/Kerberos client config
by Jaap Winius 05 Feb '10

05 Feb '10

Hi all, Now that I'm satisfied with my OpenLDAP/Kerberos server configuration, I'm attempting to devise a suitable (Debian lenny) client setup for it. Although I hear that it may not be the best approach, I'm currently pursuing a client configuration that includes kstart, libnss-ldap, nscd and libpam-ldap. At the moment I'm happy with all of it except libnss-ldap. Kstart has no problem obtaining an initial Kerberos ticket, but I can't get libnss-ldap to use it to access the DIT. So far my libnss-ldap.conf looks like: base dc=example,dc=com uri ldap://ldapks1.example.com/ ldap_version 3 rootuse_sasl yes krb5_ccname FILE:/tmp/krb5cc_0 Any idea what I might be missing? Thanks, Jaap

2 1

>Proxy Just Binds/Authentications from another LDAP?
by Don Hoover 04 Feb '10

04 Feb '10

Well, I have been working on this question and have had an idea. Would a way to accomplish this is by using SASL? It took me about 10 minutes to figure out how to configure saslauthd to verify binds to the other LDAP server. Openldap can use SASL right? So I just need to get slapd to use SASL to verify the binds to the other external ldap server. So I would have: ldapclient bind request-> openldap slapd -> SASL-> external ldap server bind Is this a good idea? I don't see how to make slapd use the sasl server for this though, the only examples I can find are to use kerberos. Any ideas on how to get slapd to just use sasl like I have it setup?

3 6

Check for attributs modifications
by David LEROUX 04 Feb '10

04 Feb '10

Hi all, I'd like to know if there is an easy way to monitor attributes modification ? In fact I import my users accounts, automount maps and almost everything from nismaps every hour with padl scripts (a bit modified by me). So each time scripts imports entries, it don't care if the entry already exist or not, it try to create it, which results in a lot of errors (existing entries...). Furthermore, for now, if I want to modify an entry I have to do it myself... What I'd like to do, is to supervise created or updated entry, so that I can focus only on those one... I thought about something like replog but I'm not sure that's the good way to do it... Any help is welcome,

3 2

OpenLDAP Log files
by sgmayo＠mail.bloomfield.k12.mo.us 03 Feb '10

03 Feb '10

One of my teachers decided to move things around and plugged a network cable in the wrong place causing a network loop and it seems to have ended up corrupting my ldap database. Where are the log files from slapd at and/or how do I read them? I did a 'slapd -d -1' and the pages just keep flying by and never stop without a ctrl-c. I have run a slapd_db_recover on this Fedora 10 box, but that did not seem to fix the problem I guess. I did slapcat the directory to an ldif file yesterday, but I am wondering if it did not already contain some bad data. I may see if I can slapadd it back in if ldap does not have to be running. If it does then I will have to do something else. Thanks for any info. Took me 7 hours to track down the intermittent problems yesterday since it seemed to be server problems and now I am starting out again on the same track it seems. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?

4 3

Problem with chain overlay
by Klaus Nagel 02 Feb '10

02 Feb '10

Hello, I have a little problem with the chain overlay and hope, someone can help me. I have a master and a slave server (both debian lenny with openldap 2.4.11) and a normal syncrepl replication between both, but I can't get the chain working. my slave slapd.conf entries: moduleload back_ldap overlay chain chain-uri "ldap://10.8.0.1:389/" chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=admin,dc=test,dc=de" credentials=testpw mode=self chain-tls start chain-return-error TRUE if i try to delete an entry with ldapdelete on the slave server: ldapdelete -xD "cn=admin,dc=test,dc=de" -w testpw cn=abc,ou=Verteiler,dc=test,dc=de Log from slave server: conn=1 fd=13 ACCEPT from IP=127.0.0.1:48451 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" method=128 conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" mech=SIMPLE ssf=0 conn=1 op=0 RESULT tag=97 err=0 text= conn=1 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de" conn=1 op=1 RESULT tag=107 err=8 text= conn=1 op=2 UNBIND conn=1 fd=13 closed Log from master server: conn=83 fd=15 ACCEPT from IP=10.8.0.2:44720 (IP=0.0.0.0:389) conn=83 op=0 BIND dn="" method=128 conn=83 op=0 RESULT tag=97 err=0 text= conn=83 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de" conn=83 op=1 RESULT tag=107 err=8 text=modifications require authentication conn=83 op=2 UNBIND conn=83 fd=15 closed ...it seems to me, that the bind-dn will not be transmitted and I don't see any start-tls entries. ...any hints for me? best regards: Klaus

3 2

Proxy Just Binds/Authentications from another LDAP?
by Don Hoover 02 Feb '10

02 Feb '10

I have been reading how to use slapd-ldap, and one thing that is not clear is if its possible just to proxy bind's. I have a LDAP directory that has all the unix posix accounts info in it for our users, but we have another LDAP server that has all the applications info and passwords for the users and is what should be doing all the actual authentication. What I would like to do is let the NIX systems get their unix account data from our LDAP server(/etc/passwd data etc), but proxy the bind requests generated from the user logins to the other LDAP server for authentication from the LDAP server that the system is pointed at for the posix account data. Is it possible just to force regular bind requests only to the other LDAP server and use that to authenticate our users? Most of the examples I have seen are all about using the proxy features of slapd-ldap to provide the actual data from the other LDAP server seamlessly, and not really for using that backed proxied LDAP server to just authenticate the binds. Any ideas? --- Don Hoover dxh(a)yahoo.com

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2010