openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

rwm-map like functionality that copies attributes
by Alexander 'Leo' Bergolth 05 Mar '10

05 Mar '10

Hi! I'd like to implement some kind of attribute-mapping so that the attributes cn and displayName contain the same values. I am thinking about something similar to rwm-map attribute displayName cn However, I don't want to map the attribute names but I want to copy the attribute values, so I guess rwm-map won't be the right way to do it. I found an old mail in the archives that suggests to write an own overlay for that job... http://www.mail-archive.com/openldap-software@openldap.org/msg12720.html I wonder if such kind of functionality has already been developed since that time? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria

1 0

OpenLDAP authentication problem, need help
by Veikko "Wexi" Skurnik 05 Mar '10

05 Mar '10

Hi all, my OpenLDAP server was working fine, user authentication for workstations and the postfix/dovecot mail server worked as they should, I was about to configure gnarwl and now for some reason users cannot authenticate using the LDAP server. Dovecot also say that it cannot connect to the server (the mail server and OpenLDAP are running on the same machine). I can login to the LDAP server using phpLDAPadmin but i cannot find anything that would be the cause of the problem. The starnge thing is that I did not do any modifications to the OpenLDAP config files that could cause the problem (or at least i think so =)). I've been looking through the config files and made sure that OpenLDAP is running and now I'm running out of ideas. Any help would be greatly appreciated and I'll be more than happy to provide more info needed to solve this problem. Thanks in advance Veikko "Wexi" Skurnik -- * Veikko "Wexi" Skurnik: +358(44)5288338 * * wexi(a)wexin.net Wexi@IRCNet * * Näyttämönkatu 4 B 12 33720 Tampere * * "Kosminen balanssi ei saa järkkyä" *

1 0

SASL Auth with -d ok, otherwise internal error 80
by lists＠supported.de 05 Mar '10

05 Mar '10

Hello list, this is my first time trying to set up SASL, I'm probably doing something wrong. Anyhow: - I'm on OpenSolaris snv_127 - using SUNWopenldap from IPS (which links with bdb 4.7.25) I got strange slapd (and slapcat) hangs (probably in bdb). This forced me to set it all up from source. - I've compiled latest bdb 4.8 from source - I've compiled latest OpenLDAP 2.4.21 from source with this configure args: $ cat myconfigure export CFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \ CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \ LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib \ -R/usr/local/BerkeleyDB.4.8/lib" ./configure -C \ --prefix=/usr/local/openldap \ --enable-spasswd \ --with-cyrus-sasl \ --enable-syslog - I've got my slapd.conf [1] in place and initialized my directory - simple bind always works - I want SASL with DIGEST-MD5 auth. - when starting slapd with -d XXX (-d 256) SASL auth. works !! $ ldapsearch -v -h localhost -p 10389 -LLL -U ldapadmin -D "cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b "ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" '*' ldap_initialize( ldap://localhost:10389 ) SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: ldapadmin SASL SSF: 128 SASL installing layers filter: cn=ldapadmin requesting: * dn: cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de cn: ldapadmin gidNumber: 5000 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: person objectClass: top sn: Admin uid: ldapadmin uidNumber: 5000 homeDirectory: /tmp userPassword:: ******** - when starting slapd without -d I get: $ ldapsearch -v -h localhost -LLL -U ldapadmin -D "cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b "ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" ldap_initialize( ldap://localhost:10389 ) SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: There's an additional problem in that slapd is not logging to syslogd. Cf. below I configured "loglevel 8191", my syslog.conf contains: local4.debug /var/log/openldap.log Upon slapd startup I get two entries in the log, but nothing else, no debugging: Mar 4 12:48:10 os slapd[8083]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.4.21 (Mar 4 2010 12:12:43) $ Mar 4 12:48:10 os ralph@os:/export/home/ralph/openldap-2.4.21/servers/slapd Can anybody point me in the right direction? Thanks! Cheers, Ralph [1] slapd.conf: include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 8191 moduleload back_hdb.la ############## # I've added these in sick attempts security ssf=0 sasl=0 sasl-secprops none ############ authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth cn=$1,ou=Users,dc=hh,dc=supported,dc=de access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,shadowLastChange by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write by anonymous auth by self write by * none access to * by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write by self write by users read by anonymous auth rootdn "cn=root,ou=Users,dc=hh,dc=supported,dc=de" rootpw ****** database hdb suffix "dc=hh,dc=supported,dc=de" directory /var/openldap index objectClass eq

2 2

OpenLdap mirrormode cluster with 2 slaves.
by Jan Hugo Prins 04 Mar '10

04 Mar '10

Hello, I have the following setup that gives me some issues at the moment. I have 2 servers running Fedora 10 with OpenLDAP 2.4.19 that are running in Mirrormode. The sync between those 2 servers works just fine. Besides that we have 2 frontend servers that rely heavily on ldap for mail delivery and mail transfers. To make this workable we thought about creating a readonly replica on these servers and tell the sendmail to use the local ldap as primary. When we had an old version on these servers (I think 2.4.12) everything worked fine. We now upgraded all servers to 2.4.19 and the configuration moved to slapd.d format, and now it looks like those 2 servers don't see the updates on the mirrormode backend anymore. I have to following config's, this was from before the migration to slapd.d: ================== master 1 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 3 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server2:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on ================== master 2 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 4 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server1:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on =================== slaves =================== overlay syncprov syncprov-checkpoint 100 10 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://ldap:389 type=refreshOnly retry="60 1 120 1" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password updateref ldap://ldap.svc.be.nl:389 updateref ldap://ldap.lan.domain.com:389 ============================================ When I empty the DIT on a slave and start it again it gets the full DIT just fine and I checked this. But after that it is not updated anymore. Does anyone see here some obvious things I'm missing in these slave or master configs? Thanks a lot, Jan Hugo Prins

1 2

combine/link entries in different ou' s
by Marc Mertes 03 Mar '10

03 Mar '10

Hi everybody, I'm not a real pro in ldap yet, so I have a question about ou' s. I have here the main ou=people, where all users are in. Now I want to create a 2nd ou=radar. The goal is that I have a 2nd ou with just a few users, for authentication on some special servers. I want to have that seperated. My question is, if I can link or combine some users from ou=people to ou=radar, that I don't have to create the user a 2nd time? regards marc

2 1

Adding ipHost for Hout based authentication
by Tech Only 03 Mar '10

03 Mar '10

Hello, I am trying to add hosts to the LDAP server for more control on logins. I have nis.schema in the slapd.conf file. Below is host.ldif file dn: cn=mldap,ou=hosts,dc=aaa objectClass: ipHost ipHostNumber: 10.10.5.115 cn: mldap When I try to add it I get following error. ldap_add: Object class violation (65) additional info: no structural object class provided My aim is to add all the network servers under ou=hosts, and then assign access to users depending on the need. Please help!!!!!!

3 3

RE: Comp_matching OPenldap
by romain guignard 03 Mar '10

03 Mar '10

Hi I would like to use component Matching in order to search in complex attribute as certificate. For this, I have install Openldap 2.4.9 with --enable-modules=yes . Now I try to compile the openldap-snacc-2.3.6. For this I execute the make command but I have always errors : make[3]: quittant le rÃ©pertoire Â« /home/openldap-snacc-2.3.6/c++-examples/src Â» make targets make[3]: entrant dans le rÃ©pertoire Â« /home/openldap-snacc-2.3.6/c++-examples/src Â» g++ -I../../c++-lib/inc -I../.. -I./ -I../src -O2 -Wall -DSTDC_HEADERS -fPIC -Wswitch -DLinux -c -o rfc1155-smi.o rfc1155-smi.cpp ../../c++-lib/inc/asn-incl.h:285: attention : âclass SNACC::PERGeneralâ has virtual functions but non-virtual destructor ../../c++-lib/inc/asn-listset.h: In member function âtypename std::list<T, std::allocator<_CharT> >::iterator AsnList<T>::append(const T&)â: ../../c++-lib/inc/asn-listset.h:24: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h:24: erreur: (if you use â-fpermissiveâ, G++ will accept your code, but allowing the use of an undeclared name is deprecated) ../../c++-lib/inc/asn-listset.h: In member function âvirtual void AsnList<T>::Clear()â: ../../c++-lib/inc/asn-listset.h:50: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::Interpret(SNACC::AsnBufBits&, long int) constâ: ../../c++-lib/inc/asn-listset.h:75: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:76: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h:82: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::PEnc(SNACC::AsnBufBits&) constâ: ../../c++-lib/inc/asn-listset.h:100: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:106: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:106: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h:111: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:112: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:131: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:146: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:152: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:159: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:159: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvirtual void AsnList<T>::PDec(SNACC::AsnBufBits&, SNACC::AsnLen&)â: ../../c++-lib/inc/asn-listset.h:171: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available ../../c++-lib/inc/asn-listset.h: In member function âchar* AsnList<T>::checkSOfSingleVal(long int) constâ: ../../c++-lib/inc/asn-listset.h:244: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:247: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h: In member function âchar* AsnList<T>::checkSOfVRange(long int, long int) constâ: ../../c++-lib/inc/asn-listset.h:260: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:263: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:267: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:270: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvirtual int AsnList<T>::checkConstraints(SNACC::ConstraintFailList*) constâ: ../../c++-lib/inc/asn-listset.h:280: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:280: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::BEncContent(SNACC::AsnBuf&) constâ: ../../c++-lib/inc/asn-listset.h:289: erreur: there are no arguments to ârbeginâ that depend on a template parameter, so a declaration of ârbeginâ must be available ../../c++-lib/inc/asn-listset.h:289: erreur: there are no arguments to ârendâ that depend on a template parameter, so a declaration of ârendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnList<T>::Print(std::ostream&, short unsigned int) constâ: ../../c++-lib/inc/asn-listset.h:324: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available ../../c++-lib/inc/asn-listset.h:328: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available ../../c++-lib/inc/asn-listset.h:330: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:330: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnList<T>::PrintXML(std::ostream&, const char*) constâ: ../../c++-lib/inc/asn-listset.h:343: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available ../../c++-lib/inc/asn-listset.h:348: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:348: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSeqOf<T>::BEnc(SNACC::AsnBuf&) constâ: ../../c++-lib/inc/asn-listset.h:383: erreur: there are no arguments to âBEncContentâ that depend on a template parameter, so a declaration of âBEncContentâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::BDec(const SNACC::AsnBuf&, SNACC::AsnLen&)â: ../../c++-lib/inc/asn-listset.h:393: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available ../../c++-lib/inc/asn-listset.h:398: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:403: erreur: there are no arguments to âBDecContentâ that depend on a template parameter, so a declaration of âBDecContentâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::Print(std::ostream&, short unsigned int) constâ: ../../c++-lib/inc/asn-listset.h:409: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:412: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available ../../c++-lib/inc/asn-listset.h:416: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available ../../c++-lib/inc/asn-listset.h:418: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:418: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::PrintXML(std::ostream&, const char*) constâ: ../../c++-lib/inc/asn-listset.h:434: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:437: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:445: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSetOf<T>::BEncContent(SNACC::AsnBuf&) constâ: ../../c++-lib/inc/asn-listset.h:493: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:493: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::BDec(const SNACC::AsnBuf&, SNACC::AsnLen&)â: ../../c++-lib/inc/asn-listset.h:515: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available ../../c++-lib/inc/asn-listset.h:520: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:526: erreur: there are no arguments to âBDecContentâ that depend on a template parameter, so a declaration of âBDecContentâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::PDec(SNACC::AsnBufBits&, SNACC::AsnLen&)â: ../../c++-lib/inc/asn-listset.h:535: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available ../../c++-lib/inc/asn-listset.h:540: erreur: there are no arguments to âappendâ that depend on a template parameter, so a declaration of âappendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSetOf<T>::PEnc(SNACC::AsnBufBits&) constâ: ../../c++-lib/inc/asn-listset.h:546: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available ../../c++-lib/inc/asn-listset.h:553: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:553: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::Print(std::ostream&, short unsigned int) constâ: ../../c++-lib/inc/asn-listset.h:572: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:575: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available ../../c++-lib/inc/asn-listset.h:579: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available ../../c++-lib/inc/asn-listset.h:581: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available ../../c++-lib/inc/asn-listset.h:581: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available ../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::PrintXML(std::ostream&, const char*) constâ: ../../c++-lib/inc/asn-listset.h:597: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:600: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available ../../c++-lib/inc/asn-listset.h:608: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available make[3]: *** [rfc1155-smi.o] Erreur 1 make[3]: quittant le rÃ©pertoire Â« /home/openldap-snacc-2.3.6/c++-examples/src Â» make[2]: *** [all] Erreur 2 make[2]: quittant le rÃ©pertoire Â« /home/openldap-snacc-2.3.6/c++-examples/src Â» make[1]: *** [all] Erreur 2 make[1]: quittant le rÃ©pertoire Â« /home/openldap-snacc-2.3.6/c++-examples Â» make: *** [all] Erreur 2 Does "Component matching" is supported by openldap ? Any help would be greatly appreciated, thanks, Romain Commander un cadeau en ligne discrètement? Voir la solution offerte par Internet Explorer8 _________________________________________________________________ Hotmail arrive sur votre téléphone ! Compatible Iphone, Windows Phone, Blackberry, … http://www.messengersurvotremobile.com/?d=Hotmail

1 0

back-sql/BDB question
by beniwtv＠relamp.tk 02 Mar '10

02 Mar '10

Hello, I have an OpenLDAP server configured with back-sql. The reason for this is that I need to export two simple tables as LDAP for contacts (groups and users) and I don't want a cron job syncing the two every x hours/minutes (ideally it should be instant). And also (ideally), if the two programs access the same database there are no inconsistencies between the two. All is working perfectly fine, except that changes to existing rows in the SQL database (MySQL) are not picked up until OpenLDAP is restarted. Adding new rows works fine, however. I guess that for each record in ldap_entries, OpenLDAP fetches the values on startup, but does not check them again, unless there is a new one which it has no data for. Am I correct here? Now, I'm wondering if anyone has experienced the same problem, and if there is a solution? Is this intentional? (could be) I'm too considering dropping back_sql and just modify the web application to also modify OpenLDAP directly via queries, however, I fear that if one of them goes down, data inconsistency might occur. (could be resolved with a cron script?) Any ideas? Thanks, Benedikt

1 0

Nssov Authorization without Authentication
by Chris Breneman 01 Mar '10

01 Mar '10

Is there a way to use nssov PAM LDAP for authorization (the PAM "account"), without using it for authentication? In my setup, I'm authenticating users with pam_krb5 separately, and I just want to use LDAP for authorization and nss. I got nssov working fine with nss, but not authorization. I want to use the authorizedService attribute of the user entry for authorization. My nssov configuration is: dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: {0}nssov olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one olcNssPam: userservice olcNssPamMinUid: 25000 After adding the required entry to the PAM configuration (the account section only), logins stop working - SSH just disconnects immediately after the password is entered. I suspect this is because I'm not using nssov for the PAM authentication. At the beginning of pam_authz() in nssov, I saw: /* We don't do authorization if they weren't authenticated by us */ if (BER_BVISEMPTY(&dn)) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; } Which leads me to believe that this is what is causing the problem. Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there, logins succeed (but authorization is not performed). If I just comment out that block, logins still don't work, but I get the "service not permitted" message. Is there some way to make authorization work without first performing authentication through nssov? Thanks, Chris Breneman

2 1

Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
by Jose G. Torres 01 Mar '10

01 Mar '10

Hello, Wow. I feel like an idiot. I solved my problem. My OpenSUSE clients were sending passwords as md5 and cause my openldap server not able to read the password information. I changed the clients to send password as "exop" and that did the trick. Jose --- On Thu, 2/25/10, Jose G. Torres <jogeedaklown(a)yahoo.com> wrote: > From: Jose G. Torres <jogeedaklown(a)yahoo.com> > Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources) > To: openldap-technical(a)openldap.org > Date: Thursday, February 25, 2010, 9:04 AM > Hello again, > Well I tried the following. > > Added the full path of the check_password.so in my > slapd.conf under "moduleload". > moduleload > /opt/openldap/etc/openldap/modules/check_password.so > > Added the full path to my check_password.so module in my > ldif > pwdCheckModule: > /opt/openldap/etc/openldap/modules/check_password.so > > Recompiled the sources again using the configure used to > build the openSUSE package. > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ > ./configure --prefix=/opt/openldap --with-tls \ > --enable-spasswd --enable-crypt --with-gnu-ld \ > --enable-ppolicy --enable-modules --enable-dynamic > --enable-aci --enable-bdb --enable-hdb \ > --enable-rewrite --enable-ldap=yes --enable-meta=mod \ > --enable-monitor=yes --enable-slp --enable-overlays=yes \ > > Still no luck. At least within my ldap logs I see the > "Password fails quality checking policy" so at least it is > hitting the ldap server for password checking. Any > ideas????? Thanks!!!! > > Jose > > > I am trying to get my solaris 10 openldap 2.4.21 > server to use my check_password.so module using the ppolicy > overlay. When I try to change a user's > > password from a linux client, I get the following > error message. > > > > passwd ldapuser > > Changing password for ldapuser. > > Enter login(LDAP) password: > > New Password: > > Reenter New Password: > > LDAP password information update failed: Constraint > violation > > Password fails quality checking policy > > passwd: Permission denied > > > > > > Within > > my logs, I do not see any error messages from my > check_password.so > > module. I created the directory > /opt/openldap/etc/openldap/modules and > > placed my module in that directory and I added the > modulepath in my > > slapd.conf. > > > > Is there something I missed? Is this > a PAM thing? I know this setup works on a OpenSUSE 11.2 > openldap server. Help. > > > > I included part of my slapd.conf, openldap configure, > check_password.c source, makefile and ldd of my > check_password.so. > > > > Thanks!!!! > > > > Jose Torres > > > > > > openldap configure > > ****************** > > > > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include > \ > > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ > > ./configure --prefix=/opt/openldap --with-tls \ > > --enable-spasswd --enable-crypt --with-gnu-ld \ > > --enable-ppolicy --enable-modules --enable-dynamic > > > > > > slapd.conf: > > ********** > > > > include > /opt/openldap/etc/openldap/schema/ppolicy.schema > > > > # Add password policies. > > modulepath /opt/openldap/etc/openldap/modules > > overlay ppolicy > > ppolicy_default > "cn=default,ou=policies,dc=caci,dc=ymp,dc=com" > > ppolicy_use_lockout > > > > I tried ppolicy_clear_txt I still have the same > problem. > > > > check_password.c: > > **************** > > > > #include <stdio.h> > > #include <stdlib.h> > > #include <string.h> > > #include <ctype.h> > > #include "portable.h" > > #include "slap.h" > > > > int init_module() > > { > > return 0; > > } > > > > int check_password(char *pPasswd, char **ppErrStr, > Entry *pEntry) > > { > > char error=0; > > char retmsg[255]; > > char *message,*buffer,*token; > > const char special[] > ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"; > > const char number[] ="1234567890"; > > const char CAPS[] > ="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; > > > > error = 0; > > > > > > if (strstr( pPasswd, " ") != NULL) > > { > > error = 1; > > strcpy(retmsg , > "******** CHECKPW: Password contains SPACES! ********"); > > } > > > > buffer = strdup(pPasswd); > > token = strtok(buffer,special); > > if ( !(strcmp(token,pPasswd)) || (token > == NULL) ) > > { > > error = 1; > > strcpy(retmsg , > "******** CHECKPW: Password does not contain any special c > > haracters! ********"); > > } > > > > buffer = strdup(pPasswd); > > token = strtok(buffer,number); > > > > if ( !(strcmp(token,pPasswd)) || (token > == NULL) ) > > { > > error = 1; > > strcpy(retmsg , > "******** CHECKPW: Password does not contain any numbers! > > ********"); > > } > > > > buffer = strdup(pPasswd); > > token = strtok(buffer,number); > > > > if ( !(strcmp(token,pPasswd)) || (token > == NULL) ) > > { > > error = 1; > > > strcpy(retmsg , "******** CHECKPW: Password does not contain > any CAPITAL L > > ETTERS! ********"); > > } > > > > if (error) > > { > > /* Allocate */ > > message = (char > *)malloc(sizeof(char) * (strlen(retmsg)+1)); > > /* Copy the contents of > the string. */ > > strcpy(message, > retmsg); > > *ppErrStr=message; > > } > > return error; > > } > > > > Makefile: > > ********* > > > > check_password.so: check_password.o > > gcc > -L/opt/openldap/lib -lldap -shared -o check_password.so > check_passwo > > rd.o > > check_password.o: check_password.c > > gcc -fpic > -I../../include -I. -c check_password.c > > clean: > > rm > check_password.so check_password.o > > > > > > It seems to find the right libraries. > > > > $ ldd modules/check_password.so > > libldap-2.4.so.2 > => > /opt/openldap/lib/libldap-2.4.so.2 > > libgcc_s.so.1 > => > /usr/sfw/lib/libgcc_s.so.1 > > liblber-2.4.so.2 > => > /opt/openldap/lib/liblber-2.4.so.2 > > libresolv.so.2 > => /usr/lib/libresolv.so.2 > > libgen.so.1 > => /usr/lib/libgen.so.1 > > libnsl.so.1 > => /usr/lib/libnsl.so.1 > > libsocket.so.1 > => /usr/lib/libsocket.so.1 > > libsasl.so.1 > => /usr/lib/libsasl.so.1 > > libssl.so.0.9.7 > => > /usr/sfw/lib/libssl.so.0.9.7 > > > libcrypto.so.0.9.7 => > /usr/sfw/lib/libcrypto.so.0.9.7 > > libc.so.1 > => /usr/lib/libc.so.1 > > libmp.so.2 > => /usr/lib/libmp.so.2 > > libmd.so.1 > => /usr/lib/libmd.so.1 > > libscf.so.1 > => /usr/lib/libscf.so.1 > > libdoor.so.1 > => /usr/lib/libdoor.so.1 > > libuutil.so.1 > => > /usr/lib/libuutil.so.1 > > > libssl_extra.so.0.9.7 => > /usr/sfw/lib/libssl_extra.so.0.9.7 > > > libcrypto_extra.so.0.9.7 => > /usr/sfw/lib/libcrypto_extra.so.0.9.7 > > libm.so.2 > => /usr/lib/libm.so.2 > > > >

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010