openldap-technical April 2010

openldap-technical@openldap.org

66 participants
76 discussions

Re: Re: OpenLDAP and SSH authentification
by Michel Dubois 21 Apr '10

21 Apr '10

It works since my last answer Thank you guys 2010/4/22 Michel Dubois <dubois.michel(a)gmail.com> > It works since my last answer > > Thank you guys > > 2010/4/22 Siddhartha Jain <sjain(a)silverspringnet.com> > > Michel, >> >> You did not specify what linux distro. That info will help. For example, >> on CentOS/RH, all you have to do to enable pam_ldap auth is " >> /usr/bin/authconfig --enableldapauth --update" >> >> Again, on RH/CentOS, this command changes /etc/pam.d/system-auth (linked >> to system-auth-ac). >> >> ------------ >> cat /etc/pam.d/system-auth >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> --------------- >> >> >> For local users (root and several others), you want to disable LDAP >> lookups. Otherwise, nss_ldap tries to look up these users in LDAP. Add this >> to your /etc/ldap.conf: >> "nss_initgroups_ignoreusers >> root,bin,daemon,adm,mail,ftp,nscd,vcsa,sshd,dbus,avahi,haldaemon,ntp,ldap,named,apache" >> >> Hope this helps. >> >> >> - Siddhartha >> >> >> >> >> From: openldap-technical-bounces+sjain=silverspringnet.com(a)openldap.org[mailto: >> openldap-technical-bounces+sjain <openldap-technical-bounces%2Bsjain>= >> silverspringnet.com(a)openldap.org] On Behalf Of Mackey, Theral >> Sent: Wednesday, April 21, 2010 10:05 AM >> To: openldap-technical(a)openldap.org >> Subject: RE: Re: OpenLDAP and SSH authentification >> >> You probably also want a line in the account section for pam_ldap.so. >> Im not as familiar with opie (know what it is, just havent used it much), >> but since it is set as requisite and before the ldap module, its possibly >> failing your auth stack if you don't have it setup properly. Test with it >> commented out using your ldap user, and again with ldap commented out using >> a local user. Make sure ldap is working by itself (and the same for opie) >> before laying other stuff on top of it. Consult the various pam-opie-ldap >> integration guides on the best way to get that working together. >> >> Since you have pam.d/common-*, those are likely the files you will want to >> edit rather than sshd. The sshd pam config file probably has a line that >> includes the common stack files, which should already have the basic stack >> in them, duplicating it in sshd will cause problems. >> >> (I assume this is a debian style system) Also check that your >> pam_ldap.conf is setup the same as libnss-ldap.conf, you can probably >> replace it with a symlink to libnss-ldap.conf. >> >> Don't use rootbinddn, use binddn or just comment them all out. rootbinddn >> gets its password from a file and expects to be the root/cn=Manager user of >> your directory. Its generally not needed for auth. The bindpw is the pw for >> binddn, which should be a user that can read user/group entries, and auth to >> userPassword. If your directory allows anonymous reads, you can comment both >> out and pam will work with anonymous binds. >> >> You can generally leave the nss_base_* mappings all commented out unless >> your directory is setup strangely, and you probably want pam_password set to >> exop so that ldap handles passwords internally rather than forcing a method >> (unless you have a reason for it (opie req?)). >> >> >> -T >> >> From: openldap-technical-bounces+tmackey=zetta.net(a)OpenLDAP.org [mailto: >> openldap-technical-bounces+tmackey <openldap-technical-bounces%2Btmackey> >> =zetta.net(a)OpenLDAP.org] On Behalf Of dubois.michel(a)gmail.com >> Sent: Wednesday, April 21, 2010 1:57 AM >> To: openldap-technical(a)openldap.org >> Subject: Re: Re: OpenLDAP and SSH authentification >> >> Thanks to all ......... >> >> I add this following in the /etc/libnss-ldap.conf on the server side : >> rootbinddn cn=proxyuser,dc=exemple,dc=org >> bindpw proxy >> pam_password MD5 >> nss_base_passwd ou=people,dc=exemple,dc=org?one >> nss_base_shadow ou=people,dc=exemple,dc=org?one >> nss_base_group ou=groups,dc=exemple,dc=org?one >> >> and I add this line in the /etc/pam.d/common-session file : >> session required pam_mkhomedir.so skel=/etc/skel/ >> >> for creating the home dir when the user is connecting for the first >> time... >> >> Thanks for your help anyway........... >> >> >> >> Le , Ariel <ariel(a)bidcactus.com> a écrit : >> > In your /etc/nsswitch.conf >> > >> > >> > Try changing to these lines: >> > >> > >> > passwd: files ldap >> > group: files ldap >> > shadow: files ldap >> > >> > >> > Also in pam.d/sshd password section try adding: >> > >> > >> > password sufficient pam_ldap.so >> > >> > >> > >> > >> > To make much of this easier you might want to install packages something >> like this for your distro: >> > libpam-ldap >> > libnss-ldap >> > ldap-auth-client >> > ldap-auth-config >> > >> > >> > Good luck. >> > -a >> > >> > >> > >> > >> > On Apr 20, 2010, at 3:15 AM, Michel Dubois wrote: >> > >> > Hello Everyone, >> > >> > I'm newbie on OpenLDAP. I build a LDAP server with one user. I can see >> this user when I did a "getent passwd" on my client. This is meaning that >> my LDAP server is working and my client is connecting on the LDAP server. >> > >> > I already modify my /etc/pam.d/sshd file on t my client machine like >> this : >> > >> > >> > # auth >> > auth required pam_nologin.so no_warn >> > auth sufficient pam_opie.so no_warn no_fake_prompts >> > auth requisite pam_opieaccess.so no_warn allow_local >> > auth sufficient /usr/local/lib/pam_ldap.so no_warn >> > auth required pam_unix.so no_warn try_first_pass >> > >> > # account >> > account required pam_login_access.so >> > account required pam_unix.so >> > >> > # session >> > session required pam_permit.so >> > >> > # password >> > password required pam_unix.so no_warn try_first_pass >> > >> > >> > >> > >> > >> > >> > >> > But I can't be connected in shh mode on my client machine with the user >> login ? And this modification disable my ssh root connection. >> > >> > What do I have to check? >> > Regards, >> > >> > -- >> > ----------------------------------------------------------- >> > Michel Dubois >> > >> > >> > >> > >> > >> > >> > >> > >> > > > > -- > ----------------------------------------------------------- > Michel Dubois > > -- ----------------------------------------------------------- Michel Dubois

1 0

Monitoring OpenLDAP Performance
by rahul.manchanda＠bt.com 21 Apr '10

21 Apr '10

Good Morning All, I need to capture the following stats for a serving LDAP. total_connections bytes_sent completed_operations initiated_operations referrals_sent entries_sent bind_operations unbind_operations add_operations delete_operations modify_operations compare_operations search_operations write_waiters read_waiters I have switched on the monitor mode on LDAP but not sure how can I get these statistics from that. Is there a way that I can capture these stats? Many Thanks in advance!! Regards Rahul Manchanda ------------------------------------------------------------------------ ---------------------------------- Andes , Selfcare Platform Build Team tel: (+91) (20) 66018100 extn: 6178; e-mail: rahul.manchanda(a)bt.com

6 7

OpenLDAP and SSH authentification
by Michel Dubois 21 Apr '10

21 Apr '10

Hello Everyone, I'm newbie on OpenLDAP. I build a LDAP server with one user. I can see this user when I did a "getent passwd" on my client. This is meaning that my LDAP server is working and my client is connecting on the LDAP server. I already modify my */etc/pam.d/sshd file on t my client machine like this : * * # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass * But I can't be connected in shh mode on my client machine with the user login ? And this modification disable my ssh root connection. What do I have to check? Regards, -- ----------------------------------------------------------- Michel Dubois

5 4

Re: Using Replication Slave For Authentication
by Ariel 21 Apr '10

21 Apr '10

On Apr 20, 2010, at 1:50 PM, Sergiy Stepanenko wrote: > On 04/20/2010 10:49 AM, Ariel wrote: >> On Apr 20, 2010, at 12:20 PM, Sergiy Stepanenko wrote: >> >>> On 04/20/2010 06:12 AM, Ariel wrote: >>>> I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this: >>>> >>>> ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W >>>> >>>> My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though. >>>> >>>> The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave: >>>> >>>> syncrepl rid=123 >>>> provider=ldaps://ldap1.domain.com:636 >>>> type=refreshAndPersist >>>> searchbase="dc=domain,dc=com" >>>> filter="(objectClass=*)" >>>> scope=sub >>>> schemachecking=off >>>> bindmethod=simple >>>> binddn="uid=syncuser,ou=People,dc=domain,dc=com" >>>> credentials=syncpassword >>>> >>>> and on the master server: >>>> >>>> moduleload syncprov.la >>>> overlay syncprov >>>> syncprov-checkpoint 100 10 >>>> syncprov-sessionlog 100 >>>> >>>> As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you. >>>> >>>> I have no idea how to debug this, any help would be greatly appreciated! >>>> >>>> -a >>>> >>> >>> Hi >>> >>> If you can show ACL on master and slave it will help to understand why you cannot auth users against slave. From what you described, it looks like slave has either access restriction to userPassword and base DN for users or access fails. I also never noticed any TLS certificates configuration mentioned. >>> >>> -- >>> Sergiy Stepanenko >>> Systems Administrator >>> Information Technology Services >>> University of Saskatchewan >>> ----------------------------------- >>> phone: (306) 966-2762 >>> email:sergiy.stepanenko@usask.ca >> >> >> Hey, thanks for the reply! I can only see the ACL on the slave using ldapsearch from CLI (every user I have tested has seen exactly only the information they are allowed), and all privileges seem to be in working order. >> >> When I use ApacheDS (or any other graphical client) using the same users, I only get the Root DSE which describes what Schema are loaded. Also, we do not use TLS, just ldaps protocol with simple authentication. All clients have `TLS_REQCERT allow` in their /etc/ldap/ldap.conf so a self signed ssl certificate on the server will work. >> > Make sure to use port 663 for SSL connection in ApacheDS, also check what bas DN is set up in Apache (Browser Options) >> Connecting and authenticating from ldapsearch works, but no other mechanisms will work. >> >> I'm probably missing something so simple it would make me cry. Perhaps I should set the loglevel to something ridiculously high and see what it says? > Try loglevel acl conns for starters and look at Apache search log. If it has been an error it would be there. >> >> -a > > Read log ldap or syslog where ever you point slapd output. I suspect that ldap appliances connect->bind->authenticate->access as self, but GUI clients fail to authenticate and resort in anonymous access level which normally looks like access to DSE entry only. > > -- > Sergiy Stepanenko > Systems Administrator > Information Technology Services > University of Saskatchewan > ----------------------------------- > phone: (306) 966-2762 > email:sergiy.stepanenko@usask.ca Putting loglevel to -1 (everything) and logging in with ApacheDS as cn=admin,dc=domain,dc=com (which is supposed to supersede any ACL rules and have read/write to everything I believe) I find a whole lot of "access granted" lines and then towards the end": => access_allowed: search access to "cn=config" "entry" requested => slap_access_allowed: backend default search access denied to "cn=admin,dc=domain,dc=com" => access_allowed: no more rules send_ldap_result: conn=0 op=8 p=3 send_ldap_result: err=32 matched="" text="" Error 32 means object doesn't exist (I think). Which would be true, our LDAP tree has no cn=config. We get the same error on the primary server, so I suppose it is ApacheDS trying to look for what would be in the Apache LDAP implementation. But that's the only error I can find, everything else is miles and miles of "search access granted". I tried to get it to list DN="dc=domain,dc=com" by hand from ApacheDS, and it would not return anything (it says "No base DN returned from server.") although in the logs it shows: conn=6 op=3 SRCH base="dc=domain,dc=com" scope=0 deref=3 filter="(objectClass=*)" conn=6 op=3 SRCH attr=hasSubordinates objectClass => hdb_search bdb_dn2entry("dc=domain,dc=com") => access_allowed: search access to "dc=domain,dc=com" "entry" requested <= root access granted access_allowed: search access granted by manage(=mwrscxd) base_candidates: base: "dc=domains,dc=com" (0x00000001) send_ldap_result: conn=6 op=3 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=4 tag=101 err=0 But when I run the ldapsearch command (as any user) from other computers on the network it returns the DN's information... So I am thoroughly confused... I am pretty sure it is not logging in as anonymous, but I have no idea why only the ldapsearch command is the only thing that can authenticate and retrieve information. It is the same version of openldap as the primary server, it has the same exact config, it has all the same schema loaded, it has the exact full ldap tree. I'm going to explode!@$#@ -a

2 5

RPM spec file
by Joe Friedeggs 21 Apr '10

21 Apr '10

I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated. Thanks in advance, Joe _________________________________________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28…

4 6

Outlook and Thunderbird Browsing Openldap
by Kalpin Erlangga Silaen 21 Apr '10

21 Apr '10

Hello all, I have install openldap on CentOS 5.4 (via yum). I want use this openldap for shared address book. I tested on thunderbird and outlook 2007 with results below: on thunderbird: 1. Compose new email, while I type some letter in field To: ; thunderbird can lookup into openldap content 2. In Addressbook menu, I can lookup the content after put some letter in search field and click search 3. in addressbook menu, while I click openldap addressbook, thunderbird can not browse or display all contents (my openldap content only 3 address book for test) basicly I do not have problem with thunderbird integration openldap on outlook 2007 1. Compose new email, while I type some letter in field To: ; outlook can not lookup into openldap content 2. In Addressbook menu, I can lookup the content after put some letter in search filend and click search. 3. In address book menu, while I click Openldap addressbook, outlook 2007 can not browse or display all contents (my openldap content only 3 address book for test). Is it possible to make outlook 2007 for below missions: 1. While compose new email, if I type some letter in field To: ; outlook 2007 supposed to lookup to openldap 2. In addressbook menu, if I click Openldap addressbook, suppose outlook 2007 display all content (limited in configuration) Any idea? Thank you notes: sorry for my english -- Regards, Kalpin Erlangga Silaen "Come now, and let us reason together," Says the LORD, "Though your sins are like scarlet, They shall be as white as snow; Though they are red like crimson, They shall be as wool. --- URL: http://www.kalpin.us YM: kalpinus(a)yahoo.com MSN: kalpinus(a)hotmail.com

3 3

Implementing LDAP logging
by rahul.manchanda＠bt.com 21 Apr '10

21 Apr '10

Hi All, Even on specifying the loglevel and logfile directives in the slapd.conf ldap related logs are not being written to the file. However separate auditlog file is getting created successfully and all the update/delete/modify/insert operations are getting recorded successfully over there. I need to get the ldap related log file created as well but that is something not happening. Also tried specifying the LOCAL4 feature in the syslog.conf and restarted the system logging service but no luck with that as well. I don't want to put the logging options in the ldap start up command line argument but want the log file created from configuration itself. Can someone please suggest on this and also is there a way to implement log rotation for the ldap log file through configuration itself then that will be really helpful. Many Thanks in advance. Regards Rahul Manchanda ------------------------------------------------------------------------ ---------------------------------- Andes , Selfcare Platform Build Team tel: (+91) (20) 66018100 extn: 6178; e-mail: rahul.manchanda(a)bt.com Address: Tech Mahindra, Sharada Center, Erandwana Pune-4

1 0

how to constructure ldap entry when user status is changed
by owen nirvana 21 Apr '10

21 Apr '10

I have some user information ( with certificate ) ,like cn = bob, dc= one, dc = two ,dc = org sn: .. userCertificate;binary::... .. : ... someday , if he would be revoked, should i move it to another entry ( replace a new dn ), like cn = bob, dc = crl ,dc = two ,dc = org or maybe I use the same entry , like cn = bob, dc= one, dc = two ,dc = org sn: .. userCertificate;binary::... .. : ... revoked : true/false revokeTime : ... gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

1 0

Using Replication Slave For Authentication
by Ariel 20 Apr '10

20 Apr '10

I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this: ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though. The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave: syncrepl rid=123 provider=ldaps://ldap1.domain.com:636 type=refreshAndPersist searchbase="dc=domain,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=syncuser,ou=People,dc=domain,dc=com" credentials=syncpassword and on the master server: moduleload syncprov.la overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you. I have no idea how to debug this, any help would be greatly appreciated! -a

2 1

openLDAP architecture - centralized repository and authentication
by Marot Laurent 20 Apr '10

20 Apr '10

Hi all, I'm far from being openLDAP and more generally Linux advanced user but I'd love to be if I could find some architecture guidance for the following use case. (I've only been playing from time to time with openLDAP on Windows boxes - shame on me :)) I'm currently using 30 Linux server in my business unit. Almost 10 different sysadmin have to administer those servers. I'd like to have a centralized directory gartering all those 30 x 10 accounts so that I could have one single place du manage my identities. All my servers could then authenticate agains this directory. Could openLDAP and some adding tools provide me the right architecture to reach this goal ? Any pointer on this issue will please me ( Google only lead me to basical information about configuring openLDAP on standalone linux boxes) Thanks a lot LM

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2010