rwm-map like functionality that copies attributes
by Alexander 'Leo' Bergolth
Hi!
I'd like to implement some kind of attribute-mapping so that the
attributes cn and displayName contain the same values. I am thinking
about something similar to
rwm-map attribute displayName cn
However, I don't want to map the attribute names but I want to copy the
attribute values, so I guess rwm-map won't be the right way to do it.
I found an old mail in the archives that suggests to write an own
overlay for that job...
http://www.mail-archive.com/openldap-software@openldap.org/msg12720.html
I wonder if such kind of functionality has already been developed since
that time?
Thanks,
--leo
--
e-mail ::: Leo.Bergolth (at) wu.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria
13 years, 2 months
OpenLDAP authentication problem, need help
by Veikko "Wexi" Skurnik
Hi all,
my OpenLDAP server was working fine, user authentication for
workstations and the postfix/dovecot mail server worked as they should,
I was about to configure gnarwl and now for some reason users cannot
authenticate using the LDAP server. Dovecot also say that it cannot
connect to the server (the mail server and OpenLDAP are running on the
same machine). I can login to the LDAP server using phpLDAPadmin but i
cannot find anything that would be the cause of the problem. The starnge
thing is that I did not do any modifications to the OpenLDAP config
files that could cause the problem (or at least i think so =)). I've
been looking through the config files and made sure that OpenLDAP is
running and now I'm running out of ideas. Any help would be greatly
appreciated and I'll be more than happy to provide more info needed to
solve this problem.
Thanks in advance
Veikko "Wexi" Skurnik
--
* Veikko "Wexi" Skurnik: +358(44)5288338 *
* wexi(a)wexin.net Wexi@IRCNet *
* Näyttämönkatu 4 B 12 33720 Tampere *
* "Kosminen balanssi ei saa järkkyä" *
13 years, 2 months
SASL Auth with -d ok, otherwise internal error 80
by lists@supported.de
Hello list,
this is my first time trying to set up SASL, I'm probably doing
something wrong. Anyhow:
- I'm on OpenSolaris snv_127
- using SUNWopenldap from IPS (which links with bdb 4.7.25) I got strange
slapd (and slapcat) hangs (probably in bdb). This forced me to set it all
up from source.
- I've compiled latest bdb 4.8 from source
- I've compiled latest OpenLDAP 2.4.21 from source with this configure
args:
$ cat myconfigure
export CFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \
CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \
LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib \
-R/usr/local/BerkeleyDB.4.8/lib"
./configure -C \
--prefix=/usr/local/openldap \
--enable-spasswd \
--with-cyrus-sasl \
--enable-syslog
- I've got my slapd.conf [1] in place and initialized my directory
- simple bind always works
- I want SASL with DIGEST-MD5 auth.
- when starting slapd with -d XXX (-d 256) SASL auth. works !!
$ ldapsearch -v -h localhost -p 10389 -LLL -U ldapadmin -D
"cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b
"ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" '*'
ldap_initialize( ldap://localhost:10389 )
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: ldapadmin
SASL SSF: 128
SASL installing layers
filter: cn=ldapadmin
requesting: *
dn: cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de
cn: ldapadmin
gidNumber: 5000
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: person
objectClass: top
sn: Admin
uid: ldapadmin
uidNumber: 5000
homeDirectory: /tmp
userPassword:: ********
- when starting slapd without -d I get:
$ ldapsearch -v -h localhost -LLL -U ldapadmin -D
"cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b
"ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin"
ldap_initialize( ldap://localhost:10389 )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
additional info: SASL(-1): generic failure:
There's an additional problem in that slapd is not logging to syslogd. Cf.
below I configured "loglevel 8191", my syslog.conf contains:
local4.debug /var/log/openldap.log
Upon slapd startup I get two entries in the log, but nothing else, no
debugging:
Mar 4 12:48:10 os slapd[8083]: [ID 702911 local4.debug] @(#) $OpenLDAP:
slapd 2.4.21 (Mar 4 2010 12:12:43) $
Mar 4 12:48:10 os
ralph@os:/export/home/ralph/openldap-2.4.21/servers/slapd
Can anybody point me in the right direction? Thanks!
Cheers, Ralph
[1]
slapd.conf:
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include
/usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 8191
moduleload back_hdb.la
##############
# I've added these in sick attempts
security ssf=0 sasl=0
sasl-secprops none
############
authz-regexp
uid=(.*),cn=DIGEST-MD5,cn=auth
cn=$1,ou=Users,dc=hh,dc=supported,dc=de
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,shadowLastChange
by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write
by self write
by users read
by anonymous auth
rootdn "cn=root,ou=Users,dc=hh,dc=supported,dc=de"
rootpw ******
database hdb
suffix "dc=hh,dc=supported,dc=de"
directory /var/openldap
index objectClass eq
13 years, 2 months
OpenLdap mirrormode cluster with 2 slaves.
by Jan Hugo Prins
Hello,
I have the following setup that gives me some issues at the moment.
I have 2 servers running Fedora 10 with OpenLDAP 2.4.19 that are running
in Mirrormode.
The sync between those 2 servers works just fine.
Besides that we have 2 frontend servers that rely heavily on ldap for
mail delivery and mail transfers. To make this workable we thought about
creating a readonly replica on these servers and tell the sendmail to
use the local ldap as primary. When we had an old version on these
servers (I think 2.4.12) everything worked fine. We now upgraded all
servers to 2.4.19 and the configuration moved to slapd.d format, and now
it looks like those 2 servers don't see the updates on the mirrormode
backend anymore.
I have to following config's, this was from before the migration to slapd.d:
==================
master 1
==================
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 3
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://server2:389
type=refreshAndPersist
retry="60 10 300 +"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
mirrormode on
==================
master 2
==================
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 4
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://server1:389
type=refreshAndPersist
retry="60 10 300 +"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
mirrormode on
===================
slaves
===================
overlay syncprov
syncprov-checkpoint 100 10
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://ldap:389
type=refreshOnly
retry="60 1 120 1"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
updateref ldap://ldap.svc.be.nl:389
updateref ldap://ldap.lan.domain.com:389
============================================
When I empty the DIT on a slave and start it again it gets the full DIT
just fine and I checked this. But after that it is not updated anymore.
Does anyone see here some obvious things I'm missing in these slave or
master configs?
Thanks a lot,
Jan Hugo Prins
13 years, 2 months
combine/link entries in different ou' s
by Marc Mertes
Hi everybody,
I'm not a real pro in ldap yet, so I have a question about ou' s.
I have here the main ou=people, where all users are in.
Now I want to create a 2nd ou=radar.
The goal is that I have a 2nd ou with just a few users,
for authentication on some special servers.
I want to have that seperated.
My question is, if I can link or combine some users from ou=people
to ou=radar, that I don't have to create the user a 2nd time?
regards marc
13 years, 2 months
Adding ipHost for Hout based authentication
by Tech Only
Hello,
I am trying to add hosts to the LDAP server for more control on logins.
I have nis.schema in the slapd.conf file. Below is host.ldif file
dn: cn=mldap,ou=hosts,dc=aaa
objectClass: ipHost
ipHostNumber: 10.10.5.115
cn: mldap
When I try to add it I get following error.
ldap_add: Object class violation (65)
additional info: no structural object class provided
My aim is to add all the network servers under ou=hosts, and then assign
access to users depending on the need.
Please help!!!!!!
13 years, 2 months
RE: Comp_matching OPenldap
by romain guignard
Hi
I would like to use component Matching in order to search in complex attribute as certificate.
For this, I have install Openldap 2.4.9 with --enable-modules=yes . Now I try to compile the openldap-snacc-2.3.6.
For this I execute the make command but I have always errors :
make[3]: quittant le répertoire « /home/openldap-snacc-2.3.6/c++-examples/src »
make targets
make[3]: entrant dans le répertoire « /home/openldap-snacc-2.3.6/c++-examples/src »
g++ -I../../c++-lib/inc -I../.. -I./ -I../src -O2 -Wall -DSTDC_HEADERS -fPIC -Wswitch -DLinux -c -o rfc1155-smi.o rfc1155-smi.cpp
../../c++-lib/inc/asn-incl.h:285: attention : âclass SNACC::PERGeneralâ has virtual functions but non-virtual destructor
../../c++-lib/inc/asn-listset.h: In member function âtypename std::list<T, std::allocator<_CharT> >::iterator AsnList<T>::append(const T&)â:
../../c++-lib/inc/asn-listset.h:24: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h:24: erreur: (if you use â-fpermissiveâ, G++ will accept your code, but allowing the use of an undeclared name is deprecated)
../../c++-lib/inc/asn-listset.h: In member function âvirtual void AsnList<T>::Clear()â:
../../c++-lib/inc/asn-listset.h:50: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::Interpret(SNACC::AsnBufBits&, long int) constâ:
../../c++-lib/inc/asn-listset.h:75: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:76: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h:82: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::PEnc(SNACC::AsnBufBits&) constâ:
../../c++-lib/inc/asn-listset.h:100: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:106: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:106: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h:111: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:112: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:131: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:146: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:152: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:159: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:159: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvirtual void AsnList<T>::PDec(SNACC::AsnBufBits&, SNACC::AsnLen&)â:
../../c++-lib/inc/asn-listset.h:171: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available
../../c++-lib/inc/asn-listset.h: In member function âchar* AsnList<T>::checkSOfSingleVal(long int) constâ:
../../c++-lib/inc/asn-listset.h:244: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:247: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h: In member function âchar* AsnList<T>::checkSOfVRange(long int, long int) constâ:
../../c++-lib/inc/asn-listset.h:260: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:263: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:267: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:270: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvirtual int AsnList<T>::checkConstraints(SNACC::ConstraintFailList*) constâ:
../../c++-lib/inc/asn-listset.h:280: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:280: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvirtual SNACC::AsnLen AsnList<T>::BEncContent(SNACC::AsnBuf&) constâ:
../../c++-lib/inc/asn-listset.h:289: erreur: there are no arguments to ârbeginâ that depend on a template parameter, so a declaration of ârbeginâ must be available
../../c++-lib/inc/asn-listset.h:289: erreur: there are no arguments to ârendâ that depend on a template parameter, so a declaration of ârendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnList<T>::Print(std::ostream&, short unsigned int) constâ:
../../c++-lib/inc/asn-listset.h:324: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available
../../c++-lib/inc/asn-listset.h:328: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available
../../c++-lib/inc/asn-listset.h:330: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:330: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnList<T>::PrintXML(std::ostream&, const char*) constâ:
../../c++-lib/inc/asn-listset.h:343: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available
../../c++-lib/inc/asn-listset.h:348: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:348: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSeqOf<T>::BEnc(SNACC::AsnBuf&) constâ:
../../c++-lib/inc/asn-listset.h:383: erreur: there are no arguments to âBEncContentâ that depend on a template parameter, so a declaration of âBEncContentâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::BDec(const SNACC::AsnBuf&, SNACC::AsnLen&)â:
../../c++-lib/inc/asn-listset.h:393: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available
../../c++-lib/inc/asn-listset.h:398: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:403: erreur: there are no arguments to âBDecContentâ that depend on a template parameter, so a declaration of âBDecContentâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::Print(std::ostream&, short unsigned int) constâ:
../../c++-lib/inc/asn-listset.h:409: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:412: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available
../../c++-lib/inc/asn-listset.h:416: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available
../../c++-lib/inc/asn-listset.h:418: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:418: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSeqOf<T>::PrintXML(std::ostream&, const char*) constâ:
../../c++-lib/inc/asn-listset.h:434: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:437: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:445: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSetOf<T>::BEncContent(SNACC::AsnBuf&) constâ:
../../c++-lib/inc/asn-listset.h:493: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:493: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::BDec(const SNACC::AsnBuf&, SNACC::AsnLen&)â:
../../c++-lib/inc/asn-listset.h:515: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available
../../c++-lib/inc/asn-listset.h:520: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:526: erreur: there are no arguments to âBDecContentâ that depend on a template parameter, so a declaration of âBDecContentâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::PDec(SNACC::AsnBufBits&, SNACC::AsnLen&)â:
../../c++-lib/inc/asn-listset.h:535: erreur: there are no arguments to âclearâ that depend on a template parameter, so a declaration of âclearâ must be available
../../c++-lib/inc/asn-listset.h:540: erreur: there are no arguments to âappendâ that depend on a template parameter, so a declaration of âappendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âSNACC::AsnLen AsnSetOf<T>::PEnc(SNACC::AsnBufBits&) constâ:
../../c++-lib/inc/asn-listset.h:546: erreur: there are no arguments to âsizeâ that depend on a template parameter, so a declaration of âsizeâ must be available
../../c++-lib/inc/asn-listset.h:553: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:553: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::Print(std::ostream&, short unsigned int) constâ:
../../c++-lib/inc/asn-listset.h:572: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:575: erreur: there are no arguments to âemptyâ that depend on a template parameter, so a declaration of âemptyâ must be available
../../c++-lib/inc/asn-listset.h:579: erreur: there are no arguments to âfrontâ that depend on a template parameter, so a declaration of âfrontâ must be available
../../c++-lib/inc/asn-listset.h:581: erreur: there are no arguments to âbeginâ that depend on a template parameter, so a declaration of âbeginâ must be available
../../c++-lib/inc/asn-listset.h:581: erreur: there are no arguments to âendâ that depend on a template parameter, so a declaration of âendâ must be available
../../c++-lib/inc/asn-listset.h: In member function âvoid AsnSetOf<T>::PrintXML(std::ostream&, const char*) constâ:
../../c++-lib/inc/asn-listset.h:597: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:600: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
../../c++-lib/inc/asn-listset.h:608: erreur: there are no arguments to âtypeNameâ that depend on a template parameter, so a declaration of âtypeNameâ must be available
make[3]: *** [rfc1155-smi.o] Erreur 1
make[3]: quittant le répertoire « /home/openldap-snacc-2.3.6/c++-examples/src »
make[2]: *** [all] Erreur 2
make[2]: quittant le répertoire « /home/openldap-snacc-2.3.6/c++-examples/src »
make[1]: *** [all] Erreur 2
make[1]: quittant le répertoire « /home/openldap-snacc-2.3.6/c++-examples »
make: *** [all] Erreur 2
Does "Component matching" is supported by openldap ?
Any help would be greatly appreciated, thanks, Romain
Commander un cadeau en ligne discrètement? Voir la solution offerte par Internet Explorer8
_________________________________________________________________
Hotmail arrive sur votre téléphone ! Compatible Iphone, Windows Phone, Blackberry, …
http://www.messengersurvotremobile.com/?d=Hotmail
13 years, 2 months
back-sql/BDB question
by beniwtv@relamp.tk
Hello,
I have an OpenLDAP server configured with back-sql. The reason for
this is that I need to export two simple tables as LDAP for contacts
(groups and users) and I don't want a cron job syncing the two every x
hours/minutes (ideally it should be instant). And also (ideally), if
the two programs access the same database there are no inconsistencies
between the two.
All is working perfectly fine, except that changes to existing rows in
the SQL database (MySQL) are not picked up until OpenLDAP is
restarted. Adding new rows works fine, however.
I guess that for each record in ldap_entries, OpenLDAP fetches the
values on startup, but does not check them again, unless there is a
new one which it has no data for. Am I correct here?
Now, I'm wondering if anyone has experienced the same problem, and if
there is a solution? Is this intentional? (could be)
I'm too considering dropping back_sql and just modify the web
application to also modify OpenLDAP directly via queries, however, I
fear that if one of them goes down, data inconsistency might occur.
(could be resolved with a cron script?)
Any ideas?
Thanks,
Benedikt
13 years, 2 months
Nssov Authorization without Authentication
by Chris Breneman
Is there a way to use nssov PAM LDAP for authorization (the PAM
"account"), without using it for authentication? In my setup, I'm
authenticating users with pam_krb5 separately, and I just want to use
LDAP for authorization and nss. I got nssov working fine with nss, but
not authorization. I want to use the authorizedService attribute of the
user entry for authorization. My nssov configuration is:
dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one
olcNssPam: userservice
olcNssPamMinUid: 25000
After adding the required entry to the PAM configuration (the account
section only), logins stop working - SSH just disconnects immediately
after the password is entered.
I suspect this is because I'm not using nssov for the PAM
authentication. At the beginning of pam_authz() in nssov, I saw:
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
Which leads me to believe that this is what is causing the problem.
Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there,
logins succeed (but authorization is not performed). If I just comment
out that block, logins still don't work, but I get the "service not
permitted" message.
Is there some way to make authorization work without first performing
authentication through nssov?
Thanks,
Chris Breneman
13 years, 3 months
Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
by Jose G. Torres
Hello,
Wow. I feel like an idiot. I solved my problem. My OpenSUSE clients were sending passwords as md5 and cause my openldap server not able to read the password information. I changed the clients to send password as "exop" and that did the trick.
Jose
--- On Thu, 2/25/10, Jose G. Torres <jogeedaklown(a)yahoo.com> wrote:
> From: Jose G. Torres <jogeedaklown(a)yahoo.com>
> Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
> To: openldap-technical(a)openldap.org
> Date: Thursday, February 25, 2010, 9:04 AM
> Hello again,
> Well I tried the following.
>
> Added the full path of the check_password.so in my
> slapd.conf under "moduleload".
> moduleload
> /opt/openldap/etc/openldap/modules/check_password.so
>
> Added the full path to my check_password.so module in my
> ldif
> pwdCheckModule:
> /opt/openldap/etc/openldap/modules/check_password.so
>
> Recompiled the sources again using the configure used to
> build the openSUSE package.
> CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
> LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> ./configure --prefix=/opt/openldap --with-tls \
> --enable-spasswd --enable-crypt --with-gnu-ld \
> --enable-ppolicy --enable-modules --enable-dynamic
> --enable-aci --enable-bdb --enable-hdb \
> --enable-rewrite --enable-ldap=yes --enable-meta=mod \
> --enable-monitor=yes --enable-slp --enable-overlays=yes \
>
> Still no luck. At least within my ldap logs I see the
> "Password fails quality checking policy" so at least it is
> hitting the ldap server for password checking. Any
> ideas????? Thanks!!!!
>
> Jose
>
> > I am trying to get my solaris 10 openldap 2.4.21
> server to use my check_password.so module using the ppolicy
> overlay. When I try to change a user's
> > password from a linux client, I get the following
> error message.
> >
> > passwd ldapuser
> > Changing password for ldapuser.
> > Enter login(LDAP) password:
> > New Password:
> > Reenter New Password:
> > LDAP password information update failed: Constraint
> violation
> > Password fails quality checking policy
> > passwd: Permission denied
> >
> >
> > Within
> > my logs, I do not see any error messages from my
> check_password.so
> > module. I created the directory
> /opt/openldap/etc/openldap/modules and
> > placed my module in that directory and I added the
> modulepath in my
> > slapd.conf.
> >
> > Is there something I missed? Is this
> a PAM thing? I know this setup works on a OpenSUSE 11.2
> openldap server. Help.
> >
> > I included part of my slapd.conf, openldap configure,
> check_password.c source, makefile and ldd of my
> check_password.so.
> >
> > Thanks!!!!
> >
> > Jose Torres
> >
> >
> > openldap configure
> > ******************
> >
> > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include
> \
> > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> > ./configure --prefix=/opt/openldap --with-tls \
> > --enable-spasswd --enable-crypt --with-gnu-ld \
> > --enable-ppolicy --enable-modules --enable-dynamic
> >
> >
> > slapd.conf:
> > **********
> >
> > include
> /opt/openldap/etc/openldap/schema/ppolicy.schema
> >
> > # Add password policies.
> > modulepath /opt/openldap/etc/openldap/modules
> > overlay ppolicy
> > ppolicy_default
> "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
> > ppolicy_use_lockout
> >
> > I tried ppolicy_clear_txt I still have the same
> problem.
> >
> > check_password.c:
> > ****************
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <ctype.h>
> > #include "portable.h"
> > #include "slap.h"
> >
> > int init_module()
> > {
> > return 0;
> > }
> >
> > int check_password(char *pPasswd, char **ppErrStr,
> Entry *pEntry)
> > {
> > char error=0;
> > char retmsg[255];
> > char *message,*buffer,*token;
> > const char special[]
> ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
> > const char number[] ="1234567890";
> > const char CAPS[]
> ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
> >
> > error = 0;
> >
> >
> > if (strstr( pPasswd, " ") != NULL)
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password contains SPACES! ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,special);
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any special c
> > haracters! ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,number);
> >
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any numbers!
> > ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,number);
> >
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> >
> strcpy(retmsg , "******** CHECKPW: Password does not contain
> any CAPITAL L
> > ETTERS! ********");
> > }
> >
> > if (error)
> > {
> > /* Allocate */
> > message = (char
> *)malloc(sizeof(char) * (strlen(retmsg)+1));
> > /* Copy the contents of
> the string. */
> > strcpy(message,
> retmsg);
> > *ppErrStr=message;
> > }
> > return error;
> > }
> >
> > Makefile:
> > *********
> >
> > check_password.so: check_password.o
> > gcc
> -L/opt/openldap/lib -lldap -shared -o check_password.so
> check_passwo
> > rd.o
> > check_password.o: check_password.c
> > gcc -fpic
> -I../../include -I. -c check_password.c
> > clean:
> > rm
> check_password.so check_password.o
> >
> >
> > It seems to find the right libraries.
> >
> > $ ldd modules/check_password.so
> > libldap-2.4.so.2
> =>
> /opt/openldap/lib/libldap-2.4.so.2
> > libgcc_s.so.1
> =>
> /usr/sfw/lib/libgcc_s.so.1
> > liblber-2.4.so.2
> =>
> /opt/openldap/lib/liblber-2.4.so.2
> > libresolv.so.2
> => /usr/lib/libresolv.so.2
> > libgen.so.1
> => /usr/lib/libgen.so.1
> > libnsl.so.1
> => /usr/lib/libnsl.so.1
> > libsocket.so.1
> => /usr/lib/libsocket.so.1
> > libsasl.so.1
> => /usr/lib/libsasl.so.1
> > libssl.so.0.9.7
> =>
> /usr/sfw/lib/libssl.so.0.9.7
> >
> libcrypto.so.0.9.7 =>
> /usr/sfw/lib/libcrypto.so.0.9.7
> > libc.so.1
> => /usr/lib/libc.so.1
> > libmp.so.2
> => /usr/lib/libmp.so.2
> > libmd.so.1
> => /usr/lib/libmd.so.1
> > libscf.so.1
> => /usr/lib/libscf.so.1
> > libdoor.so.1
> => /usr/lib/libdoor.so.1
> > libuutil.so.1
> =>
> /usr/lib/libuutil.so.1
> >
> libssl_extra.so.0.9.7 =>
> /usr/sfw/lib/libssl_extra.so.0.9.7
> >
> libcrypto_extra.so.0.9.7 =>
> /usr/sfw/lib/libcrypto_extra.so.0.9.7
> > libm.so.2
> => /usr/lib/libm.so.2
>
>
>
>
13 years, 3 months
