openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

Not getting password expiry warnings on login
by Chris Jacobs 31 Mar '10

31 Mar '10

Hello, I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc. I'm working on last little detail - getting the password expiration warning to display. For example, I see in the logs: "Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds" But I never get the notice on login clients - regardless of client type (even from machine to itself). I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits: /etc/ldap.conf: uri ldaps://ldapmaster1.corp.aptimus.net timelimit 10 bind_timelimit 10 bind_policy soft base dc=unix,dc=aptimus,dc=net scope sub ssl on tls_checkpeer no tls_cacertfile /etc/openldap/cacert.pem pam_login_attribute uid pam_lookup_policy yes pam_password exop /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so # ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 # grep -i pam /etc/ssh/sshd_config # Set this to 'yes' to enable PAM keyboard-interactive authentication # PAMAuthenticationViaKbdInt no UsePAM yes Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition): overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it. I notice two things: 1.3.6.1.4.1.42.2.27.8.5.1 (objectclass=passwordPolicy) The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here? (I suspect and hope that the last bit here is a totally unrelated red herring.) Thanks, - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 4

AD, freeradius, openldap combination
by Serge Fonville 31 Mar '10

31 Mar '10

Hi, I'm setting up a HA environment with centralized user administration. I'm currently considering the following setup For MS clients, authenticate directly to AD For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy The goals for the setup are: 1. One login for all networked nodes 2. Centralized user authentication 3. Single resource for user information 4. Highly available authentication service 5. No serious performance impact 6. Alternative login when service is unavailable 7. Easily scalable 8. Easy rollout 1, 2, 3 and 7 are achieved using AD 4 can be achieved by a combination of a loadbalancer for each service and multiple instances of each service not sure if 5 is realistic, but it should be possible I suppose 6 is no problem for any host 8 can be done through scripting What I would like to know now is: Is it advisable to set it up like this? Are there 'better' ways to achieve the same result. (performance, availability, ease of maintenance) Would it be better to let radius talk directly to AD, possibly even using the MS radius server. Is it advisable to use an OpenLDAP proxy for *nix authentication or can I just as well use AD directly. The main reasons for me to assume this setup is the most suitable are: AD replicates by default OpenLDAP proxy does not need to replicate OpenLDAP is more 'compatible' with the *nix clients FreeRadius does not need to replicate All can be loadbalanced easily. The main question I want to know from the OpenLDAP list is: "how well does the OpenLDAP proxy perform?" For the remainder, if anyone wants to shed some light on this, I would greatly appreciate it. Thanks a lot in advance. Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&h…

1 0

Re: Configuring OpenLDAP on Ubuntu 9.10 [using slapd.conf??]
by Shamika Joshi 30 Mar '10

30 Mar '10

Thank you guys for your help! I'll try my way through it. One more question here, i have a old working slapd.conf file from a RHEL server, if I want to same slapd.conf file & provide its path in /etc/default/slapd as SLAPD_CONF=/etc/ldap/slapd.conf should that work? Or should I need to make more changes? Has anyone done this before? Any articles you may want to suggest I should go through to achieve this? Thanks Shamika On Tue, Mar 30, 2010 at 5:43 PM, Matt Kassawara <mkassawara(a)gmail.com>wrote: > Starting with Ubuntu Karmic (9.10), the slapd package changed from creating > a typical LDAP administrator account (i.e., username and password) to using > LDAPI and SASL EXTERNAL which automatically provides LDAP administrator > access via the system root account. As root, run your LDAP utilities with > "-Y external -H "ldapi:///" instead of "-x", "-D", and "-W" where > appropriate. For example, to search your LDAP directory: > > ldapsearch -Y external -H "ldapi:///" -b dc=domain,dc=com > > I'm not sure why the Ubuntu Server Guide for 9.10 did not get updated to > reflect these changes, but if you search the web for "ubuntu sasl external" > you'll get quite a few hits on the issue. You may also want to read these > bugs when configuring clients: > > https://bugs.launchpad.net/bugs/423252 > > https://bugs.launchpad.net/bugs/427842 > > Matt > > > On 3/30/10 4:04 AM, Shamika Joshi wrote: > >> I have followed following article to install/configure OpenLDAP on >> Ubuntu Server 9.10 >> https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html >> >> There is no slapd.conf in picture here instead running "dpkg-reconfigure >> slapd" should come up with following Wizard (got this after running >> through numerous articles on this) >> >> *Wizard steps:* >> >> 1. *omit openldap server configuration? – no* >> 2. *dns domain name? vm.example.org <http://vm.example.org>* >> 3. *organization name? myCompany* >> 4. *database backend to use? hdb* >> 5. *do you want the database to be removed when slapd is purged? yes* >> 6. *may be the question: move old database? yes* >> 7. *administrator password? the same one as entered during installation* >> 8. *confirm password? see last step* >> 9. *allow LDAPv2 protocol? no* >> >> >> However in my installation wizards asks >> * >> Omit OpenLDAP server configuration? No >> Do you want the database to be removed when slapd is purged? No >> Allow LDAPv2 protocol? No >> Creating initial slapd configuration... done. >> Starting OpenLDAP: slapd. >> >> *Has anyone attempted this before? What I'm missing here? Could someone >> like to pitch in for some help? >> >> So when I run "ldapsearch -x" it gives me following output >> >> admins@x6:/etc/ldap$ ldapsearch -x >> # extended LDIF >> # >> # LDAPv3 >> # base <> (default) with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 32 No such object >> >> # numResponses: 1 >> >> >> where is should give the output like >> >> # extended LDIF >> # >> # LDAPv3 >> # base (default) with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> #vm.example.org <http://vm.example.org> >> >> >> dn: dc=vm,dc=example,dc=org >> objectClass: top >> objectClass: dcObject >> objectClass: organization >> o: myCompany >> dc: vm >> >> # admin,vm.example.org <http://vm.example.org> >> >> dn: cn=admin,dc=vm,dc=example,dc=org >> >> objectClass: simpleSecurityObject >> objectClass: organizationalRole >> cn: admin >> description: LDAP administrator >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> >> Thanks >> Shamika >> >

1 0

"new style" on ubuntu 8.04
by Luis Paulo 30 Mar '10

30 Mar '10

Hi, all I am installing openldap for the first time. On ubuntu 8.04 server. Things are going, I have a server, still without SASL, and a client working. I used the migration tools, and set rootdn and rootpw on my database conf I was reading a bit more, and I saw a command that didn't work $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb on https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html (note, 9.10, not 8.04) A bit more reading, and I tried to get the "new style" configuration as in http://www.openldap.org/doc/admin24/slapdconf2.html with $ sudo mkdir /etc/ldap/slapd.d $ sudo chown -R openldap:openldap /etc/ldap/slapd.d $ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d and change, in */etc/default/slapd*, SLAPD_CONF=/etc/ldap/slapd.d Still can't run the command (with the plain rootpw password from the old slapd.conf) $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb ldap_bind: Invalid credentials (49) I've read http://www.openldap.org/doc/admin24/appendix-common-errors.html and am now trying to check things and reading around the "new style" and ACL's. Should I be able to run that command and use the "new style" with ubuntu 8.04 (hardy)? If so, I'll thank you for any help. PS: ii slapd 2.4.9-0ubuntu0.8.04.3 OpenLDAP server (slapd) ii ldap-utils 2.4.9-0ubuntu0.8.04.3 OpenLDAP utilities ii migrationtools 47-3ubuntu2 Migration scripts for LDAP Linux main 2.6.24-27-server #1 SMP Fri Mar 12 01:23:09 UTC 2010 x86_64 GNU/Linux

1 0

ldap_ssl_client_init equivalent?
by phiroc＠free.fr 30 Mar '10

30 Mar '10

Hi, is there a ldap_ssl_client_init function in the openldap C API? I couldn't find any in the openldap header files. What is the equivalent of the following ldapsearch query in C using the API, on Linux? ldapsearch -x -H 'ldaps://activedirectory.abc.com/636' -b 'dc=abc,dc=com' -D 'testdn' -W '(&(objectclass=user)(!(objectclass=computer))(samaccountname=myname))' samaccountname Many thanks. p

2 1

Re: ldap_ssl_client_init equivalent?
by masarati＠aero.polimi.it 30 Mar '10

30 Mar '10

> Hi, > > is there a ldap_ssl_client_init function in the openldap C API? I couldn't > find any in the openldap header files. Because there isn't. > > What is the equivalent of the following ldapsearch query in C using the > API, on Linux? > > ldapsearch -x -H 'ldaps://activedirectory.abc.com/636' > -b 'dc=abc,dc=com' -D 'testdn' > -W '(&(objectclass=user)(!(objectclass=computer))(samaccountname=myname))' > samaccountname You can find that information in clients/tools/common.c clients/tools/ldapsearch.c p.

1 0

Re-engaging the Samba4 LDAP backend
by Andrew Bartlett 30 Mar '10

30 Mar '10

I'm trying to pick up the ball again on the OpenLDAP and Fedora DS backends, and hopefully to bring them back up to speed as a working and respectable solution. LDB will always be the Samba Team's primary backend for Samba4. This is particularly the case as there seems no reasonable prospect that we will do DRS replication against the OpenLDAP or FedoraDS backeed. (This simplifies the requirements dramatically). However, we do need them to work, as far as practical, for the rest of Samba4's DC functionality. The things I need soon from the backends are: - a replacement for the Samba4 rdn_name module. For OpenLDAP I have tried out ITS#6055 but it fails, sadly. http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055 I don't know of any comparable effort in Fedora DS. - A RID allocation tool. Fedora DS has the 'distributed numeric assignment' plugin, and I'm sure it will be no challenge for OpenLDAP to match it. Safely adding new users to an OpenLDAP backend really does need a safe way to allocate RID values. - A way to invoke slpad -Ttest -f <config file> -F <config dir> without issuing errors because of the missing databases - Transaction support. While most of the transaction-aware tasks in Samba have now been either pushed off as 'too hard on LDAP' or into modules that are now in the LDAP backend, we still do need transactions over LDAP. - A way to easily detect that we have OpenLDAP or Fedora DS installed on the system, and what it's version is. Once we have that, we could start trying to run at least some of Samba4's tests against such a backend regularly (and stop breaking it so often). - Some help debugging the existing 'make test' failures! To address a broader range of use cases, I'm looking forward to the work Endi has promised for a 'ldap backend config file' as input to provision. Hopefully this will reduce the options we have to present to users on the provision command line. (Apologies in advance for the cross-post to multiple member-only lists, but I just wanted to get everyone on the same page). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.

3 2

Re: ldap
by Patrick Mburu 30 Mar '10

30 Mar '10

Hi all, Thanks for your help, i created another domain and from my slapcat output i get this dn: dc=mycompnay,dc=com objectClass: dcObject objectClass: organization o: mycompany dc: mycompany structuralObjectClass: organization entryUUID: e235aa56-cd4a-102e-9e99- 4f8ab88a5141 creatorsName: cn=root,dc=mycompany,dc=com modifiersName: cn=root,dc=mycompany,dc=com createTimestamp: 20100326174351Z modifyTimestamp: 20100326174351Z entryCSN: 20100326174351Z#000000#00# 000000 dn: dc=mycompany,dc=local objectClass: dcObject objectClass: organization o: mycompany dc: mycompany structuralObjectClass: organization entryUUID: 4c85f2e4-cf9e-102e-9a60- f35afa4f4768 creatorsName: cn=root,dc=mycompany,dc=local modifiersName: cn=root,dc=mycompany,dc=local createTimestamp: 20100329164559Z modifyTimestamp: 20100329164559Z entryCSN: 20100329164559Z#000000#00# 000000 i want to delete the first domain entry "dc=mycompany,dc=com"so i am left with the last one ie "dc=mycompany,dc=local" Also, i get this error from ldasearch; ldap_bind Can't contact LDAP server, i have gotten a lead on linuxquestions which i will try end of day, but a quick suggestion will be appreciated. I am doing some good reading on openldap so it wont be long until i get openldap right. I am also checking on the forums. This is a small project i am working on, and soon i will be doing ZCS running on CentOS. Thanks in advance. ________________________________ From: Patrick Mburu <patrick_lists(a)yahoo.com> To: openldap-technical(a)openldap.org Sent: Mon, March 29, 2010 12:37:01 PM Subject: ldap Hi all, I have been trying to work with my .ldif file which looks like below but i get an error: All Services are started in this scenario; My ldif file dn: dc=mycompany,dc=COM objectclass: dcObject objectclass: organization o: mycompany dc: mycompany dn: cn=root,dc=mycompany,dc=COM objectclass: organizationalRole cn: root Error => bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996) => bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) slapadd: could not add entry dn="dc=mycompnaye,dc=com" (line=6): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) What am i not getting right, urgent help needed.

2 1

ldap
by Shabbir Ahmed 30 Mar '10

30 Mar '10

hi, i am running a directory service which will hold about a million entries which is running openldap mean time, i m runnig a oracle DB which holds the same db for SQL clients and i store the same data in openldap as well for the client of directory services, now what i want is to run a single DB (oracle) and openldap should be able to access it from there or any other directory service, now i want a good suggestion from you people whether i should run Oracle Internet Directory and make changes in SQL db which is reflected in Directory. second option is to run ldap but compiled with oracle DB as backend besides BDB so the data is saved in one place and when ever directory client accesses it openldap fetches it from the oracle DB and replies to client. third option is that i run it as it is with duplicating data in both oracle db and openldap but i am only worried for the performance issues in future ill face. Ill be thank full for the help.

3 2

Active Directory schema into OpenLDAP
by Shahzad Fateh Ali 29 Mar '10

29 Mar '10

Hi, I need to store Active Directory Data into OpenLDAP and for that I want to create the Active Directory schema into OpenLDAP. How to do it? -- Shahzad Fateh Ali C: +92 334 392 4334

4 5

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010