openldap-technical April 2010

openldap-technical@openldap.org

66 participants
76 discussions

Samba and ldap failover - RH / Centos problem?
by Götz Reinicke - IT Koordinator 20 Apr '10

20 Apr '10

Hi folks, I recently got my ldap master slave samba test environment up and runing. samba-3.0.33-3.15.el5_4.1 openldap-2.3.43-3.el5 The ldap systems sync fine, samba users are authenticated by each server seperatly if I set tham in the samba conf. E.g. passdb backend = ldapsam:"ldap://ldap2.filmakademie.de" and passdb backend = ldapsam:"ldap://ldap1.filmakademie.de" work. passdb backend = ldapsam:"ldap://ldap1.filmakademie.de ldap://ldap2.filmakademie.de" works as long, as ldap1 is up. If ldap1 is down, no authentication / switchover to ldap2 is done. I've googled, looked up the samba wiki and finaly I found a posting Fedora 4 related to probems with an ldap_initialize() function ... So my question, are ther any known problems or what may I check/debug? Thanks and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke(a)filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt

1 0

Re: openLDAP architecture - centralized repository and authentication
by Francis, Steve (IHG) 20 Apr '10

20 Apr '10

OpenLdap will definitly provide that, as I'm using it for all my new linux instances Steve Francis IHG - z/OS- zLinux Technical Advisor Sent from my BlackBerry ________________________________ From: openldap-technical-bounces+steve.francis=ihg.com(a)OpenLDAP.org <openldap-technical-bounces+steve.francis=ihg.com(a)OpenLDAP.org> To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Mon Apr 19 09:10:17 2010 Subject: openLDAP architecture - centralized repository and authentication Hi all, I’m far from being openLDAP and more generally Linux advanced user but I’d love to be if I could find some architecture guidance for the following use case. (I’ve only been playing from time to time with openLDAP on Windows boxes – shame on me J) I’m currently using 30 Linux server in my business unit. Almost 10 different sysadmin have to administer those servers. I’d like to have a centralized directory gartering all those 30 x 10 accounts so that I could have one single place du manage my identities. All my servers could then authenticate agains this directory. Could openLDAP and some adding tools provide me the right architecture to reach this goal ? Any pointer on this issue will please me ( Google only lead me to basical information about configuring openLDAP on standalone linux boxes) Thanks a lot LM

1 0

Restricting acces using host attribute
by Francis, Steve (IHG) 20 Apr '10

20 Apr '10

Greetings, I have a Ldap server up and running, all is well. However, I would like to start restricing access to hosts using the host attribute, which if I'm correct is part of the account objectClass. This is a SLES 10.3 system. The id that I migrated from /etc/passwd had the host attribute, but all other id's created later via the YAST gui interface, do not. I believe this is because they are using inetOrgPerson, instead of account. Is there some way of adding the host attribute to newly added users? Steve Francis Technical Advisor - zSeries, zLinux, z/OS IHG Alpharetta Data Center Ph: 770-442-7157 Cell: 770-906-3122 IM: francisihg

1 2

Basic ACL question...I think.
by Ken Kleiner 19 Apr '10

19 Apr '10

Hi, I'm new to ACL creation. We have a fully functional ldap server implementation that is working quite well for user auth. What I'm trying to do is set up my ldap server so that when a specific host binds using a particular DN, that host only sees specific entries in the ou=People tree, so that getent, id, nss, pam, etc only recognizes those users. Is this possible? I'm stumped. Thanks. Ken Kleiner System Manager University of Massachusetts Lowell Computer Science Department 978 934 3645

2 3

Adding Objectclass account gives object class violation
by Shamika Joshi 17 Apr '10

17 Apr '10

I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record. pam_filter |(host=cms2)(host=cms3) However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated cn: rick objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount sn: rick givenName: rick uid: rick uidNumber: 30003 gidNumber: 513 homeDirectory: /home/rick loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: rick sambaAcctFlags: [UX] sambaSID: S-1-5-21-1045966857-3925637060-4258372004-61006 sambaPrimaryGroupSID: S-1-5-21-1045966857-3925637060-4258372004-513 sambaLogonScript: logon.bat sambaProfilePath: \\x6\profiles\rick sambaHomePath: \\x6\rick sambaHomeDrive: H: sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE sambaNTPassword: 0CB6948805F797BF2A82807973B89537 sambaPwdLastSet: 1271227877 userPassword: test Thanks Shamika

6 17

Re: RPM spec file
by Chris Jacobs 16 Apr '10

16 Apr '10

Be careful - it didn't do what I wanted (like 64 bit). And on top of that, none of the tools were in the default paths. - chris PS: I only found that after tons of googling too. Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org> To: jonathan(a)openldap.org <jonathan(a)openldap.org> Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Thu Apr 15 19:20:16 2010 Subject: RE: RPM spec file > On 15/04/2010 16:38, Joe Friedeggs wrote: >> >> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated. > > The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You > could either use their pre-built RPMs or grab their spec file from the > repository: > > http://ltb-project.org/wiki/documentation/openldap-rpm > > Jonathan I googled the HECK out of that rpm.......how did I miss the LBT :-( Thanks, Jonathan, that is just what I was looking for. And thanks to all others that provided input. Joe _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390706/direct/01/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

Re: Slapd-ldap proxy between replica and mirror
by masarati＠aero.polimi.it 16 Apr '10

16 Apr '10

>> Hi, >> >> We have a similar scenario that the one explained in the post of Javier >> Manteiga: >> http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/200907/msg… >> >> We have deployed two servers: a master and a replica (delta-syncrepl). >> We >> added the chaining configuration that appears in openldap 2.4 >> administrator's guide (12.3.2) to handle the modifications originated >> from >> the replica. >> >> Replica slapd.conf: >> >> ##################### >> # Chaining configuration # >> ##################### >> overlay chain >> chain-uri "ldap://192.168.1.10:389" >> chain-idassert-bind bindmethod="simple" >> binddn="cn=replicator,dc=example,dc=com" >> credentials="secret" >> mode="self" >> chain-return-error TRUE >> >> ########## >> # Replica # >> ########## >> database bdb >> suffix "dc=example,dc=com" >> rootdn "cn=Administrator,dc=example,dc=com" >> rootpw "secret" >> .... >> ################## >> # Syncrepl directives # >> ################## >> syncrepl rid=001 >> provider=ldap://192.168.1.10:389 >> type=refreshAndPersist >> retry="60 +" >> searchbase="dc=example,dc=com" >> filter="(objectclass=*)" >> scope=sub >> attrs="*" >> schemachecking=on >> binddn="cn=replicator,dc=example,dc=com" >> bindmethod=simple >> credentials=secret >> sizelimit=unlimited >> logbase="cn=accesslog" >> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" >> syncdata=accesslog >> >> # Refer updates to the master >> updateref ldap://192.168.1.10:389 >> >> The problem appears when we change the single master for a mirrormode >> configuration (administrator guide 18.3.4.1). In addition, we set up a >> back-ldap proxy between mirror and replica. >> >> back-ldap proxy slapd.conf: >> >> ######## >> # Proxy # >> ######## >> database ldap >> suffix "dc=example,dc=com" >> rootdn "cn=slapd-ldap" >> >> uri "ldap://192.168.1.20:389 ldap://192.168.1.30:389" >> >> >> The IP addresses are: >> 192.168.1.10 -> Back-ldap proxy >> 192.168.1.20 -> Mirror mode server 1 >> 192.168.1.30 -> Mirror mode server 2 >> >> >> When we try to modify the password through the replica, we get the >> following >> messages in the server where is located the proxy: >> >> ldap-proxy[13175]: daemon: activity on 1 descriptor >> ldap-proxy[13175]: daemon: activity on: >> ldap-proxy[13175]: 12r >> ldap-proxy[13175]: >> ldap-proxy[13175]: daemon: read active on 12 >> ldap-proxy[13175]: daemon: epoll: listen=7 active_threads=0 tvp=NULL >> ldap-proxy[13175]: connection_get(12) >> ldap-proxy[13175]: connection_get(12): got connid=1002 >> ldap-proxy[13175]: connection_read(12): checking for input on id=1002 >> ldap-proxy[13175]: op tag 0x66, time 1270632398 >> ldap-proxy[13175]: conn=1002 op=2 do_modify >> ldap-proxy[13175]: conn=1002 op=2 do_modify: dn >> (uid=user,ou=people,dc=example,dc=com) >> ldap-proxy[13175]: => get_ctrls >> ldap-proxy[13175]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" >> (noncritical) >> ldap-proxy[13175]: parseProxyAuthz: conn 1002 >> authzid="dn:uid=user,ou=people,dc=example,dc=com" >> ldap-proxy[13175]: slap_sasl_getdn: conn 1002 >> id=dn:uid=user,ou=people,dc=example,dc=com [len=38] >> ldap-proxy[13175]: >>> dnNormalize: >> <uid=user,ou=people,dc=example,dc=com> >> ldap-proxy[13175]: <<< dnNormalize: >> <uid=user,ou=people,dc=example,dc=com> >> ldap-proxy[13175]: ==>slap_sasl2dn: converting SASL name >> uid=user,ou=people,dc=example,dc=com to a DN >> ldap-proxy[13175]: <==slap_sasl2dn: Converted SASL name to <nothing> >> ldap-proxy[13175]: parseProxyAuthz: conn=1002 >> "uid=user,ou=people,dc=example,dc=com" >> ldap-proxy[13175]: ==>slap_sasl_authorized: can >> cn=replicator,dc=example,dc=com become >> uid=user,ou=people,dc=example,dc=com? >> ldap-proxy[13175]: <== slap_sasl_authorized: return 48 >> ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to >> assume >> identity" >> ldap-proxy[13175]: send_ldap_result: conn=1002 op=2 p=3 >> ldap-proxy[13175]: send_ldap_result: err=123 matched="" text="not >> authorized >> to assume identity" >> ldap-proxy[13175]: send_ldap_response: msgid=3 tag=103 err=123 >> ldap-proxy[13175]: conn=1002 op=2 RESULT tag=103 err=123 text=not >> authorized >> to assume identity >> ldap-proxy[13175]: conn=1002 op=2 do_modify: get_ctrls failed >> ldap-proxy[13175]: daemon: activity on 1 descriptor >> ldap-proxy[13175]: daemon: activity on: >> >> The authorization is denied for cn=replicator,dc=example,dc=com. > > The error looks self-explanatory: the identity > "cn=replicator,dc=example,dc=com" is not authorized to assume the identity > of the client that attempted the write. The failure appears to happen in > slap_sasl2dn(), where the user's DN is converted to <nothing> (the > "mapping" fails). It is not clear why it fails. Sorry, I take the last sentence back: mapping a DN to nothing means there was nothing to map. The failure is just later, where (pretty self-explanatory): ldap-proxy[13175]: ==>slap_sasl_authorized: can cn=replicator,dc=example,dc=com become uid=user,ou=people,dc=example,dc=com? ldap-proxy[13175]: <== slap_sasl_authorized: return 48 ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to assume identity" the entry "cn=replicator,dc=example,dc=com" does not have the right to assume the identity of "uid=user,ou=people,dc=example,dc=com". > You probably do not show > enough of your master and replica slapd.conf. This is correct. Also, the error may depend on the value of the authzTo/authzFrom attributes of the identities involved in the mapping. As clearly stated in slapd-ldap man page about idassert: [snip] Other identity assertion modes are anonymous and self, which respectively mean that the empty or the client’s identity will be asserted; [snip] For all modes that require the use of the proxyAuthz control, on the remote server the proxy identity must have appropriate authzTo permissions, or the asserted identities must have appropriate authzFrom permissions. p.

2 3

serviceSearchDescriptor problem.
by Miha Krajnc 15 Apr '10

15 Apr '10

Hey, I'm having a problem setting up an openLDAP database. I've installed it, configured it (that took a while, OpenLDAP should realy supply a script to do it manualy) and set my server to use it for authentication (as well as the /etc/passwd file). But now i want to configure the server to work with the sudoers file so users can use the "sudo" command. Here is where i'm having problems. I folowed this guide: http://georgia.ubuntuforums.org/showthread.php?p=9121830 <http://georgia.ubuntuforums.org/showthread.php?p=9121830#post9121830>And i came to the part where i need to insert this code into the database with ldapadd: dn: ou=SUDOers,dc=prvi-dijak,dc=si objectClass: top objectClass: organizationalUnit ou: SUDOers serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com But here is where i run into a problem. The server always gives out an error, like this: ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x Enter LDAP Password: adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si" ldap_add: Undefined attribute type (17) additional info: serviceSearchDescriptor: attribute type undefined And i have no idea why. I also tried to do it manualy. I added the organizationalUnit with "phpLDAPadmin" but i can not find the serviceSearchDescriptor attribute anywhere. Could you advise me on how to fix this problem? -- Good day, Miha Krajnc.

2 2

Facing ldap_sasl_bind_s failed (-1) error for N-way Multimaster ldap replication
by Shamika Joshi 15 Apr '10

15 Apr '10

I'm seeing following erros in syslog after I was done with N-way Multimaster ldap replication. I following these links exactly to configure my master & slave servers http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html Apr 15 00:28:08 x6 slapd[5783]: slap_client_connect: URI=ldap:// x6.testlab.com DN="cn=admin,cn=config" ldap_sasl_bind_s failed (49) Apr 15 00:28:08 x6 slapd[5783]: do_syncrepl: rid=001 rc 49 retrying (1 retries left) Apr 15 00:28:08 x6 slapd[5783]: slap_client_connect: URI=ldap:// x6slave.testlab.com DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1) Apr 15 00:28:08 x6 slapd[5783]: do_syncrepl: rid=002 rc -1 retrying (1 retries left) While troubleshooting ldap_sasl_bind_s failed (-1) error in my syslog for ldap replication, I have also ended adding wrong olcSyncrepl entries as shown in snapshot below. How should I go about removing these entries from my cn=config? Could anyone give me an example? Thanks Shamika dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: {CRYPT}7hzU8RaZxaGi2 olcSyncrepl: {0}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,cn=con fig" bindmethod=simple credentials=1234 searchbase="cn=config" type=refreshAn dPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://x6slave.testlab.combinddn="cn=admin,c n=config" bindmethod=simple credentials=1234 searchbase="cn=config" type=refr eshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {2}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,dc=tes <==== tlab,dc=com" bindmethod=simple credentials=secret searchbase="cn=config" type =refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {3}rid=002 provider=ldap://ldap02.example.combinddn="cn=admin,dc <==== =testlab,dc=com" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {4}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,cn=con <==== fig" bindmethod=simple credentials=secret searchbase="cn=config" type=refresh AndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {5}rid=002 provider=ldap://x6slave.testlab.combinddn="cn=admin,c <==== n=config" bindmethod=simple credentials=secret searchbase="cn=config" type=re freshAndPersist retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov dn: olcOverlay={1}syncprov,olcDatabase={0}config,cn=config <==== objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov dn: olcOverlay={2}syncprov,olcDatabase={0}config,cn=config <==== objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {2}syncprov dn: olcOverlay={3}syncprov,olcDatabase={0}config,cn=config<==== objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {3}syncprov dn: olcOverlay={4}syncprov,olcDatabase={0}config,cn=config<==== objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {4}syncprov dn: olcOverlay={5}syncprov,olcDatabase={0}config,cn=config<==== objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {5}syncprov

1 0

OpenLDAP Data Directory issue
by rahul.manchanda＠bt.com 15 Apr '10

15 Apr '10

Hello, For a running LDAP if I delete the data directory still the LDAP is responding to reads and writes without giving any error. All logins in related to application are working fine. Is this picking the data from cache or actual data itself is getting stored somewhere. Can someone please provide his/her technical expertise on this behavior? Regards Rahul Manchanda ------------------------------------------------------------------------ ---------------------------------- Andes , Selfcare Platform Build Team tel: (+91) (20) 66018100 extn: 6178; e-mail: rahul.manchanda(a)bt.com Address: Tech Mahindra, Sharada Center, Erandwana Pune-4

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2010