openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

LDAP_AUTH_METHOD_NOT_SUPPORTED with ldap_sasl_bind
by Thilko Richter 16 Mar '10

16 Mar '10

Hi, obviously I don´t have an appropriate 'supportedSASLMechanisms:' entry. But after adding supportedSASLMechanisms: PLAIN to some ldap entries, the ldap_sasl_bin still does not work. Where I have to add these informations, and are they correct for a simple bind? Thx, Thilko

2 3

detecting password expiration warnings by admin
by Tyler Gates 15 Mar '10

15 Mar '10

Hi Guys, We are currently looking into implementing password expirations (pwdMaxAge) along with password expiration warnings (pwdExpireWarning) so that email notifications may be sent to those offending entries via a cronjob run as the admin (or some other ACL user). The problem is, if I understand it correctly, these warning messages are only relayed (via password policy controls ?) when the USER itself binds to the tree. Is there some other way for a privileged user to obtain these messages or at least some other set attribute before pwdMaxAge has been reached? If you are thinking of increasing the pwdAuthGraceNLimit that wont work because the user could login and try binding several other times through the course of the day before receiving a "password is about to expire in nlogin attempts" which is preformed each time they login to their machine. Below is an example of what works to get the info I need, binding as a user (again not what I want): ##################################################################################################### #!/usr/bin/perl use strict; use Net::LDAP; use Net::LDAP::Constant qw(LDAP_EXTENSION_START_TLS); use Net::LDAP::Control::PasswordPolicy; use Net::LDAP::Constant qw(LDAP_CONTROL_PASSWORDPOLICY); use POSIX; my $ldap_host = "ldap://hostname.mydomain.com"; my $ldap_port = "389"; my $ldap = Net::LDAP->new($ldap_host, port => $ldap_port); my $seconds_in_a_day = 86400; my $seconds_in_an_hour = 3600; my $pp = Net::LDAP::Control::PasswordPolicy->new; my $mesg = $ldap->bind("uid=someuser,ou=People,dc=mydomain,dc=com", password => "secret", control => [ $pp ] ); # Get password policy reponse my($resp) = $mesg->control(LDAP_CONTROL_PASSWORDPOLICY); if (defined($resp)) { my $v = $resp->pp_error; print "Password policy error $v\n" if defined $v; $v = $resp->time_before_expiration; my $days = ceil($v/$seconds_in_a_day); my $hours = ($v/$seconds_in_an_hour); print "Your password expires in less than $days day(s) ($hours hour(s))\n" if defined $v; } ####################################################################################################

3 5

I can't get root level access rights(sudo) from ldap
by Zengming Zhang 15 Mar '10

15 Mar '10

Hi everyone: Please help me, I can't get root level access rights(sudo) from ldap.When I try to use sudo command, there is an error report: "user is not in the sudoers file. This incident will be reported." I am going to build a cluster systems, there is a file server and some client computers. The operating system of file server is Redhat Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition. When users login on a client, the client will get user authorization info from server and mount its HOME folder automatically. I installed openldap server(openldap-2.3.43-3.el5) on file-server, and use libnss-ldapd, libpam-ldap, auth-client-config ldap-auth-client and ldap-auth-config packages to change client's user authorization methods. But the problem is I do can get user authorization info from the ldap server, but I can't get root level access rights from ldap server as followed the steps here: http://www.gratisoft.us/sudo/man/sudoers.ldap.html. ################## My server configurations are: [1]/etc/openldap/slapd.conf： ------------------------------ The sudoers.schema has been included and indexed: include /etc/openldap/schema/sudoers.schema index sudoUser eq [2]/etc/ldap.conf: ------------------------------ sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server [3]Some contents in ldap database: ------------------------------ # SUDOers, file-server dn: ou=SUDOers,dc=file-server ou: SUDOers objectClass: top objectClass: organizationalUnit # %sysadmins, SUDOers, file-server dn: cn=%sysadmins,ou=SUDOers,dc=file-server objectClass: top objectClass: sudoRole cn: %sysadmins sudoUser: %sysadmins sudoHost: ALL sudoCommand: ALL (sysadmins is a group name that I created in my ldap server, what I want is user in this group can get root level access rights.) ################## ################## My client configurations are: [1]sudo-ldap: ------------------------------ A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been installed. [2]/etc/ldap.conf: ------------------------------ sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server [3]/etc/nsswitch.conf ------------------------------ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap # added by zengming, for sudo issue. sudoers: ldap files hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: nis [4]I do can see that the user is in the sysadmins group as authorized from ldap server: jingna@zzm-desktop:~$ id uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins) ################## So, any ideas of you? Please let me know, thanks very much in advance! Best wishes, Zengming -- Zengming Zhang <nicegiving(a)gmail.com>

4 3

Help with roles
by antprado 14 Mar '10

14 Mar '10

(I did post this question to the software portion of the list also, my apologies if you seeing this in redundancy) Hi, I am being in contact with LDAP for the first and I do need to create a role for some users. Do you have any points or how to do this? What I need to do: role: ==> administrator user: admin001 role:==> developer user: dev001 user: dev002 role: ==> it user: operator001 user: operator002 I did create these accounts under fedora already. I need to create a role also for certain directories: for example: /home/bug ==> for developer /home/operations ==> for it /home ==> for administrator Thank you all for your help

1 0

How to make a simple bind using ldapv3?
by Thilko Richter 14 Mar '10

14 Mar '10

Hi, I am a litle bit confused: Do I use ldap_sasl_bind with null as mechanism or should I use ldap_simpl_bind, which is marked as deprecated in ldap.h? I cant´t find really helpful docs about this. Thx a lot, Thilko

2 1

RE: database is not a shadow
by Chris Jacobs 12 Mar '10

12 Mar '10

Ok, this is embarrassing. Issue: I'd set the provider to itself (on ldapmaster2): syncrepl rid=1 provider=ldaps://ldapmaster2.corp.aptimus.net type=refreshAndPersist interval=00:00:10:00 searchbase="dc=unix,dc=aptimus,dc=net" bindmethod=simple binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net" credentials="Ten%20two" retry="15 20 60 +" mirrormode on changed to what it should be (ldapmaster1) and it started up fine. Odd error though. PS: I'd love to reply to my original message, but I haven't received it (I had recently changed my options to receive an email for each, rather than a digest) -----Original Message----- From: Chris Jacobs Sent: Friday, March 12, 2010 2:54 PM To: 'openldap-technical(a)openldap.org' Subject: database is not a shadow I'm getting a really odd error when trying to start slapd: [root@ldapmaster2 ~]# /usr/local/libexec/slapd -u ldap -h 'ldap:/// ldaps:///' -d5 @(#) $OpenLDAP: slapd 2.4.21 (Mar 9 2010 10:37:55) $ root@localhost.localdomain:/cust/appbuilds/openldap-2.4.21/servers/slapd ldap_pvt_gethostbyname_a: host=ldapmaster2.corp.aptimus.net, r=0 daemon_init: ldap:/// ldaps:/// daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: listener initialized ldaps:/// daemon_init: 4 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) ==> translucent_initialize >>> dnNormalize: <> <<< dnNormalize: <> >>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema)=0 <<< dnNormalize: <cn=subschema> >>> dnNormalize: <ou=assets,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(ou=assets,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(ou=assets,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=assets,dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <ou=assets,dc=unix,dc=aptimus,dc=net> bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 <<< dnPrettyNormal: <dc=unix,dc=aptimus,dc=net>, <dc=unix,dc=aptimus,dc=net> >>> dnPrettyNormal: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 <<< dnPrettyNormal: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net>, <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> >>> dnNormalize: <dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <dc=unix,dc=aptimus,dc=net> >>> dnNormalize: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: ldap_url_parse_ext(ldaps://ldapmaster2.corp.aptimus.net) ldap_url_parse_ext(ldap:///) ldap_url_parse_ext(ldap:///) ldap_url_parse_ext(ldaps:///) /etc/openldap/slapd.conf: line 75: <mirrormode> database is not a shadow slapd destroy: freeing system resources. syncinfo_free: rid=001 slapd stopped. connections_destroy: nothing to destroy. Needless to say, this server will be a mirror - and I'd had this config working previously. The other server, setup seemingly identically works fine. What the heck does this error mean? - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

database is not a shadow
by Chris Jacobs 12 Mar '10

12 Mar '10

I'm getting a really odd error when trying to start slapd: [root@ldapmaster2 ~]# /usr/local/libexec/slapd -u ldap -h 'ldap:/// ldaps:///' -d5 @(#) $OpenLDAP: slapd 2.4.21 (Mar 9 2010 10:37:55) $ root@localhost.localdomain:/cust/appbuilds/openldap-2.4.21/servers/slapd ldap_pvt_gethostbyname_a: host=ldapmaster2.corp.aptimus.net, r=0 daemon_init: ldap:/// ldaps:/// daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: listener initialized ldaps:/// daemon_init: 4 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) ==> translucent_initialize >>> dnNormalize: <> <<< dnNormalize: <> >>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema)=0 <<< dnNormalize: <cn=subschema> >>> dnNormalize: <ou=assets,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(ou=assets,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(ou=assets,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=assets,dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <ou=assets,dc=unix,dc=aptimus,dc=net> bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 <<< dnPrettyNormal: <dc=unix,dc=aptimus,dc=net>, <dc=unix,dc=aptimus,dc=net> >>> dnPrettyNormal: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 <<< dnPrettyNormal: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net>, <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> >>> dnNormalize: <dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <dc=unix,dc=aptimus,dc=net> >>> dnNormalize: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> => ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net,0) <= ldap_bv2dn(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=root,ou=people,dc=unix,dc=aptimus,dc=net)=0 <<< dnNormalize: <uid=root,ou=people,dc=unix,dc=aptimus,dc=net> put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: ldap_url_parse_ext(ldaps://ldapmaster2.corp.aptimus.net) ldap_url_parse_ext(ldap:///) ldap_url_parse_ext(ldap:///) ldap_url_parse_ext(ldaps:///) /etc/openldap/slapd.conf: line 75: <mirrormode> database is not a shadow slapd destroy: freeing system resources. syncinfo_free: rid=001 slapd stopped. connections_destroy: nothing to destroy. Needless to say, this server will be a mirror - and I'd had this config working previously. The other server, setup seemingly identically works fine. What the heck does this error mean? - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

Issues migrating from Linux passwd file to OpenLDAP
by Steve Cross 12 Mar '10

12 Mar '10

Hello all, Here is the issue that I am having. I have recently setup an OpenLDAP database for my local network. My goal is to use this for authentication for all clients on my network. I have been able to configure slapd.conf and the server will start up and run just fine. I have been using the migration tools to convert from the Linux style passwd file to .ldif files to import into my shiny new LDAP database. Everything goes smoothly, including the ldapadd command to import the ldif files. I am importing my users and my groups, as well as the base information for my site. Everything imports in, and i can find every user's DN using ldapsearch, but whenever I try to authenticate with any user imported from the passwd file, it fails authentication. However, if i go and change the user's password with ldappasswd then it will let me authenticate just fine for that user. I think this issue has to do with the fact that ldapadd automatically hashes the value stored in userPassword, but this seems to be causing issues with the SMD5 passwords that are stored in my shadow file. I've tried using {CLEARTEXT}, {CRYPT}, {MD5}, and {SMD5} before the value in the userPassword field, but no matter what i cannot login with the user's actual password. Is there any way to prevent ldapadd from hashing the userPassword value, since it already is encrypted? If not, what is the correct method for importing from passwd file that will not require me to change every user's password manually once imported into the LDAP directory. Below is my system setup. Slackware Linux 12.2 OpenLDAP 2.4.21 compiled from source passwd file encryption type: Salted MD5 If you need any more information please don't hesitate to ask. I am willing to provide any information necessary to get this going. Any help or pointers that I can get on this situation would be GREATLY appreciated. Thanks, Steve

2 1

OpenLDAP DB_CONFIG values for a big Server
by Echedey Lorenzo 12 Mar '10

12 Mar '10

Hi, Soon I'll have a x64 Suse machine with 16GB RAM and 4 Intel Cores. We need our OpenLDAP Server to be as fast as possible. I wonder which DB_CONFIG values are suitable for this. Maybe... set_cachesie 14 0 4 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE ...? Directory will have around 6~8 million entries. I'm not sure if they will be entirely uploaded to the RAM cache, but at least part of will improve speed, I think. Any help will be appreciated since my experiences with OpenLDAP performance against Sun Directory Server 5.2 has not been good, taking several seconds to answer any ldaprequest :( -- -------------------------------------------- | Echedey Lorenzo Arencibia | --------------------------------------------

4 8

syncrepl not working for pwdFailureTime attribute
by Alex Samad 12 Mar '10

12 Mar '10

Hi I have setup a multi master as per the online doco. When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn= But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over is this a feature or a bug ? Alex

5 5

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010