Samba and ldap failover - RH / Centos problem?
by Götz Reinicke - IT Koordinator
Hi folks,
I recently got my ldap master slave samba test environment up and runing.
samba-3.0.33-3.15.el5_4.1
openldap-2.3.43-3.el5
The ldap systems sync fine, samba users are authenticated by each server
seperatly if I set tham in the samba conf.
E.g. passdb backend = ldapsam:"ldap://ldap2.filmakademie.de" and
passdb backend = ldapsam:"ldap://ldap1.filmakademie.de"
work.
passdb backend = ldapsam:"ldap://ldap1.filmakademie.de
ldap://ldap2.filmakademie.de" works as long, as ldap1 is up. If ldap1 is
down, no authentication / switchover to ldap2 is done.
I've googled, looked up the samba wiki and finaly I found a posting
Fedora 4 related to probems with an ldap_initialize() function ...
So my question, are ther any known problems or what may I check/debug?
Thanks and best regards,
Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke(a)filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Geschäftsführer:
Prof. Thomas Schadt
10 years, 9 months
Re: openLDAP architecture - centralized repository and authentication
by Francis, Steve (IHG)
OpenLdap will definitly provide that, as I'm using it for all my new linux instances
Steve Francis
IHG - z/OS- zLinux Technical Advisor
Sent from my BlackBerry
________________________________
From: openldap-technical-bounces+steve.francis=ihg.com(a)OpenLDAP.org <openldap-technical-bounces+steve.francis=ihg.com(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Mon Apr 19 09:10:17 2010
Subject: openLDAP architecture - centralized repository and authentication
Hi all,
I’m far from being openLDAP and more generally Linux advanced user but I’d love to be if I could find some architecture guidance for the following use case. (I’ve only been playing from time to time with openLDAP on Windows boxes – shame on me J)
I’m currently using 30 Linux server in my business unit. Almost 10 different sysadmin have to administer those servers. I’d like to have a centralized directory gartering all those 30 x 10 accounts so that I could have one single place du manage my identities. All my servers could then authenticate agains this directory.
Could openLDAP and some adding tools provide me the right architecture to reach this goal ? Any pointer on this issue will please me ( Google only lead me to basical information about configuring openLDAP on standalone linux boxes)
Thanks a lot
LM
10 years, 9 months
Restricting acces using host attribute
by Francis, Steve (IHG)
Greetings, I have a Ldap server up and running, all is well. However, I
would like to start restricing access to hosts using the host attribute,
which if I'm correct is part of the account objectClass. This is a SLES
10.3 system. The id that I migrated from /etc/passwd had the host
attribute, but all other id's created later via the YAST gui interface,
do not. I believe this is because they are using inetOrgPerson, instead
of account. Is there some way of adding the host attribute to newly
added users?
Steve Francis
Technical Advisor - zSeries, zLinux, z/OS
IHG
Alpharetta Data Center
Ph: 770-442-7157
Cell: 770-906-3122
IM: francisihg
10 years, 9 months
Basic ACL question...I think.
by Ken Kleiner
Hi, I'm new to ACL creation.
We have a fully functional ldap server implementation that is working quite well for user auth.
What I'm trying to do is set up my ldap server so that when a specific host binds using a particular DN, that host only sees specific entries in the ou=People tree, so that getent, id, nss, pam, etc only recognizes those users.
Is this possible? I'm stumped. Thanks.
Ken Kleiner
System Manager
University of Massachusetts Lowell
Computer Science Department
978 934 3645
10 years, 9 months
Adding Objectclass account gives object class violation
by Shamika Joshi
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following
user:rick using smbldap-tools which use default samba.schema.eg shown below.
Now I also want to use "Host based authentication" using pam_filter where I
need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If I
go ahead to add that here for user:rick it gives me objectclass violation.
What could be the way out of it? Any inputs would be highly appreciated
cn: rick
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
sn: rick
givenName: rick
uid: rick
uidNumber: 30003
gidNumber: 513
homeDirectory: /home/rick
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: rick
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-1045966857-3925637060-4258372004-61006
sambaPrimaryGroupSID: S-1-5-21-1045966857-3925637060-4258372004-513
sambaLogonScript: logon.bat
sambaProfilePath: \\x6\profiles\rick
sambaHomePath: \\x6\rick
sambaHomeDrive: H:
sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambaNTPassword: 0CB6948805F797BF2A82807973B89537
sambaPwdLastSet: 1271227877
userPassword: test
Thanks
Shamika
10 years, 9 months
Re: RPM spec file
by Chris Jacobs
Be careful - it didn't do what I wanted (like 64 bit). And on top of that, none of the tools were in the default paths.
- chris
PS: I only found that after tons of googling too.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: jonathan(a)openldap.org <jonathan(a)openldap.org>
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Thu Apr 15 19:20:16 2010
Subject: RE: RPM spec file
> On 15/04/2010 16:38, Joe Friedeggs wrote:
>>
>> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated.
>
> The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You
> could either use their pre-built RPMs or grab their spec file from the
> repository:
>
> http://ltb-project.org/wiki/documentation/openldap-rpm
>
> Jonathan
I googled the HECK out of that rpm.......how did I miss the LBT :-(
Thanks, Jonathan, that is just what I was looking for. And thanks to all others that provided input.
Joe
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
10 years, 9 months
Re: Slapd-ldap proxy between replica and mirror
by masarati@aero.polimi.it
>> Hi,
>>
>> We have a similar scenario that the one explained in the post of Javier
>> Manteiga:
>> http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/200907/m...
>>
>> We have deployed two servers: a master and a replica (delta-syncrepl).
>> We
>> added the chaining configuration that appears in openldap 2.4
>> administrator's guide (12.3.2) to handle the modifications originated
>> from
>> the replica.
>>
>> Replica slapd.conf:
>>
>> #####################
>> # Chaining configuration #
>> #####################
>> overlay chain
>> chain-uri "ldap://192.168.1.10:389"
>> chain-idassert-bind bindmethod="simple"
>> binddn="cn=replicator,dc=example,dc=com"
>> credentials="secret"
>> mode="self"
>> chain-return-error TRUE
>>
>> ##########
>> # Replica #
>> ##########
>> database bdb
>> suffix "dc=example,dc=com"
>> rootdn "cn=Administrator,dc=example,dc=com"
>> rootpw "secret"
>> ....
>> ##################
>> # Syncrepl directives #
>> ##################
>> syncrepl rid=001
>> provider=ldap://192.168.1.10:389
>> type=refreshAndPersist
>> retry="60 +"
>> searchbase="dc=example,dc=com"
>> filter="(objectclass=*)"
>> scope=sub
>> attrs="*"
>> schemachecking=on
>> binddn="cn=replicator,dc=example,dc=com"
>> bindmethod=simple
>> credentials=secret
>> sizelimit=unlimited
>> logbase="cn=accesslog"
>> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
>> syncdata=accesslog
>>
>> # Refer updates to the master
>> updateref ldap://192.168.1.10:389
>>
>> The problem appears when we change the single master for a mirrormode
>> configuration (administrator guide 18.3.4.1). In addition, we set up a
>> back-ldap proxy between mirror and replica.
>>
>> back-ldap proxy slapd.conf:
>>
>> ########
>> # Proxy #
>> ########
>> database ldap
>> suffix "dc=example,dc=com"
>> rootdn "cn=slapd-ldap"
>>
>> uri "ldap://192.168.1.20:389 ldap://192.168.1.30:389"
>>
>>
>> The IP addresses are:
>> 192.168.1.10 -> Back-ldap proxy
>> 192.168.1.20 -> Mirror mode server 1
>> 192.168.1.30 -> Mirror mode server 2
>>
>>
>> When we try to modify the password through the replica, we get the
>> following
>> messages in the server where is located the proxy:
>>
>> ldap-proxy[13175]: daemon: activity on 1 descriptor
>> ldap-proxy[13175]: daemon: activity on:
>> ldap-proxy[13175]: 12r
>> ldap-proxy[13175]:
>> ldap-proxy[13175]: daemon: read active on 12
>> ldap-proxy[13175]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
>> ldap-proxy[13175]: connection_get(12)
>> ldap-proxy[13175]: connection_get(12): got connid=1002
>> ldap-proxy[13175]: connection_read(12): checking for input on id=1002
>> ldap-proxy[13175]: op tag 0x66, time 1270632398
>> ldap-proxy[13175]: conn=1002 op=2 do_modify
>> ldap-proxy[13175]: conn=1002 op=2 do_modify: dn
>> (uid=user,ou=people,dc=example,dc=com)
>> ldap-proxy[13175]: => get_ctrls
>> ldap-proxy[13175]: => get_ctrls: oid="2.16.840.1.113730.3.4.18"
>> (noncritical)
>> ldap-proxy[13175]: parseProxyAuthz: conn 1002
>> authzid="dn:uid=user,ou=people,dc=example,dc=com"
>> ldap-proxy[13175]: slap_sasl_getdn: conn 1002
>> id=dn:uid=user,ou=people,dc=example,dc=com [len=38]
>> ldap-proxy[13175]: >>> dnNormalize:
>> <uid=user,ou=people,dc=example,dc=com>
>> ldap-proxy[13175]: <<< dnNormalize:
>> <uid=user,ou=people,dc=example,dc=com>
>> ldap-proxy[13175]: ==>slap_sasl2dn: converting SASL name
>> uid=user,ou=people,dc=example,dc=com to a DN
>> ldap-proxy[13175]: <==slap_sasl2dn: Converted SASL name to <nothing>
>> ldap-proxy[13175]: parseProxyAuthz: conn=1002
>> "uid=user,ou=people,dc=example,dc=com"
>> ldap-proxy[13175]: ==>slap_sasl_authorized: can
>> cn=replicator,dc=example,dc=com become
>> uid=user,ou=people,dc=example,dc=com?
>> ldap-proxy[13175]: <== slap_sasl_authorized: return 48
>> ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to
>> assume
>> identity"
>> ldap-proxy[13175]: send_ldap_result: conn=1002 op=2 p=3
>> ldap-proxy[13175]: send_ldap_result: err=123 matched="" text="not
>> authorized
>> to assume identity"
>> ldap-proxy[13175]: send_ldap_response: msgid=3 tag=103 err=123
>> ldap-proxy[13175]: conn=1002 op=2 RESULT tag=103 err=123 text=not
>> authorized
>> to assume identity
>> ldap-proxy[13175]: conn=1002 op=2 do_modify: get_ctrls failed
>> ldap-proxy[13175]: daemon: activity on 1 descriptor
>> ldap-proxy[13175]: daemon: activity on:
>>
>> The authorization is denied for cn=replicator,dc=example,dc=com.
>
> The error looks self-explanatory: the identity
> "cn=replicator,dc=example,dc=com" is not authorized to assume the identity
> of the client that attempted the write. The failure appears to happen in
> slap_sasl2dn(), where the user's DN is converted to <nothing> (the
> "mapping" fails). It is not clear why it fails.
Sorry, I take the last sentence back: mapping a DN to nothing means there
was nothing to map. The failure is just later, where (pretty
self-explanatory):
ldap-proxy[13175]: ==>slap_sasl_authorized: can
cn=replicator,dc=example,dc=com become
uid=user,ou=people,dc=example,dc=com?
ldap-proxy[13175]: <== slap_sasl_authorized: return 48
ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to assume
identity"
the entry "cn=replicator,dc=example,dc=com" does not have the right to
assume the identity of "uid=user,ou=people,dc=example,dc=com".
> You probably do not show
> enough of your master and replica slapd.conf.
This is correct. Also, the error may depend on the value of the
authzTo/authzFrom attributes of the identities involved in the mapping.
As clearly stated in slapd-ldap man page about idassert:
[snip] Other identity assertion modes
are anonymous and self, which respectively mean that the empty
or the client’s identity will be asserted; [snip]
For all modes that require
the use of the proxyAuthz control, on the remote server the
proxy identity must have appropriate authzTo permissions, or the
asserted identities must have appropriate authzFrom permissions.
p.
10 years, 9 months
serviceSearchDescriptor problem.
by Miha Krajnc
Hey,
I'm having a problem setting up an openLDAP database. I've installed it,
configured it (that took a while, OpenLDAP should realy supply a script to
do it manualy) and set my server to use it for authentication (as well as
the /etc/passwd file). But now i want to configure the server to work with
the sudoers file so users can use the "sudo" command. Here is where i'm
having problems. I folowed this guide:
http://georgia.ubuntuforums.org/showthread.php?p=9121830
<http://georgia.ubuntuforums.org/showthread.php?p=9121830#post9121830>And i
came to the part where i need to insert this code into the database with
ldapadd:
dn: ou=SUDOers,dc=prvi-dijak,dc=si
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
But here is where i run into a problem. The server always gives out an
error, like this:
ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D
cn=admin,dc=prvi-dijak,dc=si -W -x
Enter LDAP Password:
adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
ldap_add: Undefined attribute type (17)
additional info: serviceSearchDescriptor: attribute type undefined
And i have no idea why. I also tried to do it manualy. I added the
organizationalUnit with "phpLDAPadmin" but i can not find the
serviceSearchDescriptor attribute anywhere. Could you advise me on how to
fix this problem?
--
Good day, Miha Krajnc.
10 years, 9 months
Facing ldap_sasl_bind_s failed (-1) error for N-way Multimaster ldap replication
by Shamika Joshi
I'm seeing following erros in syslog after I was done with N-way Multimaster
ldap replication. I following these links exactly to configure my master &
slave servers
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
Apr 15 00:28:08 x6 slapd[5783]: slap_client_connect: URI=ldap://
x6.testlab.com DN="cn=admin,cn=config" ldap_sasl_bind_s failed (49)
Apr 15 00:28:08 x6 slapd[5783]: do_syncrepl: rid=001 rc 49 retrying (1
retries left)
Apr 15 00:28:08 x6 slapd[5783]: slap_client_connect: URI=ldap://
x6slave.testlab.com DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1)
Apr 15 00:28:08 x6 slapd[5783]: do_syncrepl: rid=002 rc -1 retrying (1
retries left)
While troubleshooting ldap_sasl_bind_s failed (-1) error in my syslog for
ldap replication, I have also ended adding wrong olcSyncrepl entries as
shown in snapshot below. How should I go about removing these entries from
my cn=config? Could anyone give me an example?
Thanks
Shamika
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW: {CRYPT}7hzU8RaZxaGi2
olcSyncrepl: {0}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,cn=con
fig" bindmethod=simple credentials=1234 searchbase="cn=config"
type=refreshAn
dPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://x6slave.testlab.combinddn="cn=admin,c
n=config" bindmethod=simple credentials=1234 searchbase="cn=config"
type=refr
eshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {2}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,dc=tes
<====
tlab,dc=com" bindmethod=simple credentials=secret searchbase="cn=config"
type
=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {3}rid=002 provider=ldap://ldap02.example.combinddn="cn=admin,dc
<====
=testlab,dc=com" bindmethod=simple credentials=secret
searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {4}rid=001 provider=ldap://x6.testlab.combinddn="cn=admin,cn=con
<====
fig" bindmethod=simple credentials=secret searchbase="cn=config"
type=refresh
AndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {5}rid=002 provider=ldap://x6slave.testlab.combinddn="cn=admin,c
<====
n=config" bindmethod=simple credentials=secret searchbase="cn=config"
type=re
freshAndPersist retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
dn: olcOverlay={1}syncprov,olcDatabase={0}config,cn=config <====
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
dn: olcOverlay={2}syncprov,olcDatabase={0}config,cn=config <====
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {2}syncprov
dn: olcOverlay={3}syncprov,olcDatabase={0}config,cn=config<====
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {3}syncprov
dn: olcOverlay={4}syncprov,olcDatabase={0}config,cn=config<====
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {4}syncprov
dn: olcOverlay={5}syncprov,olcDatabase={0}config,cn=config<====
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {5}syncprov
10 years, 9 months
OpenLDAP Data Directory issue
by rahul.manchanda@bt.com
Hello,
For a running LDAP if I delete the data directory still the LDAP is
responding to reads and writes without giving any error.
All logins in related to application are working fine.
Is this picking the data from cache or actual data itself is getting
stored somewhere.
Can someone please provide his/her technical expertise on this behavior?
Regards
Rahul Manchanda
------------------------------------------------------------------------
----------------------------------
Andes , Selfcare Platform Build Team
tel: (+91) (20) 66018100 extn: 6178; e-mail:
rahul.manchanda(a)bt.com
Address: Tech Mahindra, Sharada Center, Erandwana Pune-4
10 years, 9 months