Re: use of server-side sorting and virtual list view controls blocks slapd
by Lehnert, Hartmut
Hi Dieter!
We tried
Sizelimit unlimited
In slapd.conf, but the effect is the same, slapd answers "size limit
exceeded". The search request command is
/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children
-E!sss="sncertnr:2.5.13.3"
-E!vlv="0/9/0/1:objectclass=SN-ISIS-MTT-MainCert" "objectclass=*"
sncertnr
Besides this effect we only have 10 records stored in the LDAP database
;-)
For the supported features see the following list:
openldap@ocsp-openldap24:~/openldap-snacc-2.3.6/c-lib>
/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
9389 -D cn=openldapadmin -w welcome -b "" -s base +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The OID 1.3.6.1.4.1.4203.666.8.1 is missing here but this OID is marked
as kind of experimental. Why do I need this feature and how can I enable
this?
Regards,
Hartmut
13 years, 6 months
More on dynamic group searches
by Ian Collins
Hello,
This is my first post here, so if I'm going over old ground, please let
me know (I have searched).
I have looked through the archives and reached the conclusion that there
isn't a convenient means of searching for groups based on a dynamic
entry. For example, if I have a dynlist entry containing
olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember
uniqueMember is dynamically added to search results, but can't be part
of the search.
Is this conclusion correct?
I am migrating a client over from Sun's directory manager (which does
allow searching on dynamic attributes) to OpenLDAP, so I have to support
all the client applications that currently authenticate against and use
LDAP. For example:
filter="(&(objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))"
attrs="gidNumber"
--
Ian.
13 years, 6 months
Re: choosing replication strategies
by Chris Jacobs
The admin guide really does a pretty good job of covering the different replication methods, I'd check it out a bit more. :)
- chris
PS: I'm no guru, and have recently identified an issue with mirror-mode and ppolicy. I'll be reviewing them again myself.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Wed May 26 06:35:50 2010
Subject: Re: choosing replication strategies
On Wed, May 26, 2010 at 09:03:03AM +0200, Nikola Radovanovic wrote:
> Is the N-way multimaster replication best bet, or is it possible to
> use some other strategy, like mirroring?
See MirrorMode replication in OpenLDAP admin guide.
Regards,
Luka
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
13 years, 6 months
Openldap with back-sql (Oracle)
by honey bajaj
Hi All,
I have configured Openldap 2.3.32 with back-sql, have followed the readme and http://www.easysoft.com/applications/openldap/back-sql-odbc.html to create test and metadata. But while performing search i am receiving following errors
ldapsearch -x -b dc=example,dc=com name=Mitya
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: name=Mitya
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
May 25 10:23:12 ldap1p slapd[7211]: backsql_load_schema_map("inetOrgPerson"): autoadding 'objectClass' and 'ref' mappings
May 25 10:23:12 ldap1p slapd[7211]: backsql_close_db_conn(4294967295)
May 25 10:23:12 ldap1p slapd[7211]: slap_listener(ldap:///)
May 25 10:23:29 ldap1p slapd[7211]: daemon: listen=8, new connection on 9
May 25 10:23:29 ldap1p slapd[7211]: daemon: added 9r (active) listener=(nil)
May 25 10:23:29 ldap1p slapd[7211]: conn=0 fd=9 ACCEPT from IP=127.0.0.1:32793 (IP=0.0.0.0:389)
May 25 10:23:29 ldap1p slapd[7211]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 25 10:23:29 ldap1p slapd[7211]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 25 10:23:29 ldap1p slapd[7211]: daemon: activity on 1 descriptor
May 25 10:23:29 ldap1p slapd[7211]: daemon: activity on:
May 25 10:23:29 ldap1p slapd[7211]: 9r
May 25 10:23:29 ldap1p slapd[7211]:
May 25 10:23:29 ldap1p slapd[7211]: daemon: read active on 9
May 25 10:23:29 ldap1p slapd[7211]: connection_get(9)
May 25 10:23:29 ldap1p slapd[7211]: connection_get(9): got connid=0
May 25 10:23:29 ldap1p slapd[7211]: connection_read(9): checking for input on id=0
May 25 10:23:29 ldap1p slapd[7211]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 25 10:23:29 ldap1p slapd[7211]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 25 10:23:29 ldap1p slapd[7211]: do_bind
May 25 10:23:29 ldap1p slapd[7211]: >>> dnPrettyNormal:
May 25 10:23:29 ldap1p slapd[7211]: > dnPrettyNormal:
May 25 10:23:29 ldap1p slapd[7211]: backsql_search(): base="dc=example,dc=com", filter="(name=mitya)", scope=2,
May 25 10:23:29 ldap1p slapd[7211]: deref=0, attrsonly=0, attributes to load: all
May 25 10:23:29 ldap1p slapd[7211]: ==>backsql_get_db_conn()
May 25 10:23:29 ldap1p slapd[7211]: ==>backsql_open_db_conn(0)
May 25 10:23:29 ldap1p slapd[7211]: conn=0 op=0 RESULT tag=97 err=0 text=
May 25 10:23:29 ldap1p slapd[7211]: do_bind: v3 anonymous bind
May 25 10:23:29 ldap1p slapd[7211]: backsql_open_db_conn(0): connected, adding to tree.
May 25 10:23:29 ldap1p slapd[7211]:
13 years, 6 months
openldap & outlook 2007 browsing
by Mark Bojara
Hey OpenLDAP Gurus!
Im sure the above mentioned topic has been discussed a million times but
with my hours of googling I have not been able to find anything
conclusive.. I know this isnt directly related to OpenLDAP and you dont
really support 3rd party software but Im running out of places to ask
this question & time. I have gotten Openldap running with MS Outlook
2007 as a client, I am able to search for entries found on my openldap
server however when I open the main addressbook window it does not
display all the entries at once (aka Browsing). I have started Openldap
with debug 256 mode and I can see connections made before clicking the
Find button (proving that the "Enable Browsing" option in Outlook does
do something) however still doesnt display anything. Does anyone know
where I can go from here or atleast point me to the right place I can
ask this question?
Thanks alot
Mark
13 years, 6 months
choosing replication strategies
by Nikola Radovanovic
hi,
i am new to the OpenLDAP and this is my first post here, so if i missed
out the listing - please, tell me.
i read admin guide, and also got LDAP system administration book
(unfortunately, it is outdated for the replication part)
i am in search of the best replication strategy for the following
scenario: we have 2 geographically distant 'sites' (between two of them
is WAN), and each of these needs to have 2 (or sometimes more) OpenLDAP
servers. if some data is to be changed, it is done only on one 'site'
(our software will redirect client calls to the specific one, based on
our business logic). 'sites' must replicate data between them, and that
should be done via exactly one dedicated OpenLDAP server in each 'site'
(or at least it seems right :) )
Is the N-way multimaster replication best bet, or is it possible to use
some other strategy, like mirroring?
Naturally, servers will contain mostly some personal data which is
rarely changed (but often read)...
regards
nikola
13 years, 6 months
Summary of dynamic groups
by Ian Collins
Hello again,
My earlier thread appears to have been hijacked, so I'm starting a new
one for the summary of my investigations.
My current understanding is as follows:
There are three overlays that can use yes to manage groups dynamically:
dynlist, autogroup and memberof.
- dynlist works well for including members specified in a URL to the
result of a search on a group. The dynamic members can not be included
in a search filter.
- autogroup works well for including members specified in a URL to the
result of a search on a group. The dynamic members can be included in a
search filter, but the only supported list attribute is 'member', which
limits its use.
- memberof works well for reverse group management, including group dn
in the entries for group members. It only works with DN-values
attributes, so it can't be used with clients that expect POSIX group
members to be listed by 'memberUid' rather than 'member'.
From the above, I don't see a way to use OpenLDAP in an existing
environment where dynamic groups are searched for by members and don't
list their members with the 'member' attribute.
Please tell me I'm wrong (and how)!
Thanks,
--
Ian.
13 years, 6 months
RE: ppolicy master/slave issue (currently "forward ppolicy updates" OR "authenticate")
by Siddhartha Jain
One more observation:
1. When changing password on the client, with client pointing at slave (with chaining enabled), the password change only goes through when the right password is supplied.
2. But, entering a wrong password won't give you a password fail message.
Look at this transaction, where I enter a wrong password for password change:
$ passwd
Changing password for user joe.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Strong(er) authentication required
only authenticated users may change passwords
passwd: Permission denied
From: Siddhartha Jain
Sent: Tuesday, May 25, 2010 5:16 PM
To: openldap-technical(a)openldap.org
Subject: RE: ppolicy master/slave issue (currently "forward ppolicy updates" OR "authenticate")
I replicated the setup and issues with slapd.d configuration.
Running OpenLDAP 2.4.21 on CentOS x64.
1. Master and slave setup with ppolicy overlay.
2. When client points to master, pwdFailures are duly recorded and respected. Password auth works as expected.
3. When clients points to slave with chaining disabled, password auth and changes work fine but obviously pwdFailures are not recorded anywhere - neither on slave or master.
4. When client points to slave with chaining enabled, password auth breaks meaning user can type any string and still get a successful auth. Interestingly, in this case, pwdFailures get recorded on slave and master.
Why or how a bind succeeds with a wrong password is weird. With slapd.d type config, the chain directives go under "frontendconfig" so I suspect the solution must lie there.
As a sidenote, I am thinking of doing without slaves and just creating more primaries in multi-mode replication. Seems less complicated in terms of configuration and maintenance.
Thanks,
- Siddhartha
> -----Original Message-----
> From: openldap-technical-bounces+sjain=silverspringnet.com(a)openldap.org
> [mailto:openldap-technical-
> bounces+sjain=silverspringnet.com(a)openldap.org] On Behalf Of Chris
> Jacobs
> Sent: Tuesday, May 25, 2010 9:16 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue (currently "forward ppolicy
> updates" OR "authenticate")
>
> Haven't heard anything on this yet...
>
> If someone could point me to some documentation, or better, graphic
> illustration, of how OpenLDAP 'works', perhaps I can figure this out on
> my own.
>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Thursday, May 06, 2010 11:45 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue (currently "forward ppolicy
> updates" OR "authenticate")
>
> Anyone?
>
> I can't be the only person trying to implement ppolicy_forward_updates
> and have user's actually authenticate...
>
> I've been poring over the documentation:
>
> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
> http://www.symas.com/blog/?page_id=66
> http://www.openldap.org/software/man.cgi?query=slapo-
> ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release
> Which indicates: "This setting is only useful on a replication
> consumer, and also requires the updateref setting and chain overlay to
> be appropriately configured."
>
> I tried "chain-rebind-as-user" and that didn't seem to help (you can
> see it in the configs below) - at least, how I tried it. Perhaps I
> misunderstand something (I'm hoping at least)
>
> I'm totally at a loss here...
>
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Monday, May 03, 2010 9:07 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue
>
> Really, I think this comes down to how to:
> * ppolicy_forward_updates requiring priviledges
> * authentication NOT requiring priviledges
>
> How do I split the two? Let ppolicy forward updates, which requires
> priviledges, and NOT specify any authentication while user's are
> authenticating?
>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Thursday, April 29, 2010 2:55 PM
> To: openldap-technical(a)openldap.org
> Subject: ppolicy master/slave issue
>
> Hello again,
>
> I'm having an odd issue with ppolicy and my master/slave config.
>
> First, my goals
> General use:
> Slave handles all reads locally.
> Writes get forwarded to the master by the slave.
>
> Password policy:
> When password failures happen on clients using slave ldap servers,
> the failures, etc, get passed to the master to get replicated to the
> slaves.
> I understand this would be done using the ppolicy option:
> ppolicy_forward_updates
>
> Authentication:
> Actually authenticate (more later).
>
> To the problem:
> ---------------
> When I leave the section in the chain bit of SLAVE slapd.conf below
> marked by lines intact (which bind as root):
> * ppolicy_forward_updates seems to work great - the master shows
> matching "pwdFailureTime" attributes.
> * Regardless of password entered, you get a shell. User/bad password =
> get a shell! This being a problem should be obvious.
> I suspect that's due to the chain overlay section...
>
> If I comment out the lines in the SLAVE slapd.conf:
> * authentication actually requires authentication (bad password = no
> authentication)
> * ppolicy_forward_updates don't work (no updates to master)
>
> It's possible that from my description some may already know my issue -
> however, just to be sure, I've pasted below 'bare' versions of the:
> * a master slapd.conf (sans schema includes)
> * a slave slapd.conf (sans schema includes)
> * /etc/ldap.conf (using slave)
> * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard -
> they are NOT the same)
> * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac
> for all types).
>
> Thanks for any help (and, likely, pointing out any 'stupids' below),
> - chris
>
> PS: Feel free to critique - you won't hurt my feelings.
>
> MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
> ----------------------------------------------------------------------
> serverID 1
> loglevel 0
> pidfile /usr/local/var/openldap-data/run/slapd.pid
> argsfile /usr/local/var/openldap-data/run/slapd.args
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
> TLSVerifyClient never
> password-hash {MD5}
> sizelimit size.soft=500 size.hard=unlimited
> timelimit time.soft=3600 time.soft=unlimited
> database bdb
> suffix "dc=example,dc=net"
> rootdn "cn=root,dc=example,dc=net"
> rootpw "secret"
> directory "/usr/local/var/openldap-data"
> include /etc/openldap/slapd.access.conf
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> index operatingSystem pres,eq
> index host pres,eq
> index rack eq
> index entryUUID eq
> index uniqueMember eq
> index entryCSN eq
> index site eq
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 10
> syncrepl rid=2
> provider=ldaps://ldapmaster2.corp.example.net
> type=refreshAndPersist
> interval=00:00:10:00
> searchbase="dc=example,dc=net"
> bindmethod=simple
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> retry="15 20 60 +"
> mirrormode on
> database monitor
>
> SLAVE slapd.conf:
> -----------------
> serverID 13
> loglevel 0
> pidfile /usr/local/var/openldap-data/run/slapd.pid
> argsfile /usr/local/var/openldap-data/run/slapd.args
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
> TLSVerifyClient never
> password-hash {MD5}
> sizelimit size.soft=500 size.hard=unlimited
> timelimit time.soft=3600 time.soft=unlimited
> overlay chain
> chain-uri ldaps://ldap-vip.corp.example.net/
> chain-rebind-as-user TRUE
> vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> vvvvvv
> chain-idassert-bind bindmethod="simple"
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> mode="self"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^^
> chain-tls ldaps
> chain-return-error TRUE
> database bdb
> suffix "dc=example,dc=net"
> rootdn "cn=root,dc=example,dc=net"
> rootpw "secret"
> directory "/usr/local/var/openldap-data"
> include /etc/openldap/slapd.access.conf
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> index operatingSystem pres,eq
> index host pres,eq
> index rack eq
> index entryUUID eq
> index uniqueMember eq
> index entryCSN eq
> index site eq
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
> ppolicy_forward_updates
> syncrepl rid=1
> provider=ldaps://ldap-vip.corp.example.net
> type=refreshAndPersist
> interval=00:00:10:00
> searchbase="dc=example,dc=net"
> bindmethod=simple
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> retry="15 20 60 +"
> updateref "ldaps://ldap-vip.corp.example.net"
> database monitor
>
> /etc/openldap/ldap.conf: (same on all LDAP servers)
> ---------------------------------------------------
> uri ldaps://localhost
> base dc=example,dc=net
> network_timeout 0
> sizelimit 0
> timelimit 0
> tls_cacert /etc/openldap/cacerts/cacert.pem
> tls_reqcert demand
>
> /etc/ldap.conf: (on client using slave)
> ---------------------------------------
> uri ldaps://ldap-vip.dc1.example.net
> timelimit 10
> bind_timelimit 10
> bind_policy soft
> base dc=example,dc=net
> scope sub
> ssl on
> tls_checkpeer no
> tls_cacertfile /etc/openldap/cacert.pem (contents same as
> /etc/openldap/cacerts/cacert.pem)
> pam_login_attribute uid
> pam_lookup_policy yes
> pam_password exop
>
> /etc/pam.d/system-auth-ac:
> --------------------------
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so sha256 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
13 years, 6 months
ppolicy master/slave issue
by Chris Jacobs
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves.
I understand this would be done using the ppolicy option: ppolicy_forward_updates
Authentication:
Actually authenticate (more later).
To the problem:
---------------
When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root):
* ppolicy_forward_updates seems to work great - the master shows matching "pwdFailureTime" attributes.
* Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious.
I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf:
* authentication actually requires authentication (bad password = no authentication)
* ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the:
* a master slapd.conf (sans schema includes)
* a slave slapd.conf (sans schema includes)
* /etc/ldap.conf (using slave)
* /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same)
* /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types).
Thanks for any help (and, likely, pointing out any 'stupids' below),
- chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
----------------------------------------------------------------------
serverID 1
loglevel 0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile /usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
database bdb
suffix "dc=unix,dc=aptimus,dc=net"
rootdn "uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
rootpw "secret"
directory "/usr/local/var/openldap-data/aptimus"
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10
syncrepl rid=2
provider=ldaps://ldapmaster2.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase="dc=unix,dc=aptimus,dc=net"
bindmethod=simple
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="secret"
retry="15 20 60 +"
mirrormode on
database monitor
SLAVE slapd.conf:
-----------------
serverID 13
loglevel 0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile /usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
overlay chain
chain-uri ldaps://ldap-vip.corp.aptimus.net/
chain-rebind-as-user TRUE
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
chain-idassert-bind bindmethod="simple"
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="Ten%20two"
mode="self"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
chain-tls ldaps
chain-return-error TRUE
database bdb
suffix "dc=unix,dc=aptimus,dc=net"
rootdn "uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
rootpw "secret"
directory "/usr/local/var/openldap-data/aptimus"
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
ppolicy_forward_updates
syncrepl rid=1
provider=ldaps://ldap-vip.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase="dc=unix,dc=aptimus,dc=net"
bindmethod=simple
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="secret"
retry="15 20 60 +"
updateref "ldaps://ldap-vip.corp.aptimus.net"
database monitor
/etc/openldap/ldap.conf: (same on all LDAP servers)
---------------------------------------------------
uri ldaps://localhost
base dc=unix,dc=aptimus,dc=net
network_timeout 0
sizelimit 0
timelimit 0
tls_cacert /etc/openldap/cacerts/cacert.pem
tls_reqcert demand
/etc/ldap.conf: (on client using slave)
---------------------------------------
uri ldaps://ldap-vip.dc1.aptimus.net
timelimit 10
bind_timelimit 10
bind_policy soft
base dc=unix,dc=aptimus,dc=net
scope sub
ssl on
tls_checkpeer no
tls_cacertfile /etc/openldap/cacert.pem (contents same as /etc/openldap/cacerts/cacert.pem)
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
/etc/pam.d/system-auth-ac:
--------------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
13 years, 6 months
How to obtain a 'version number' of an attributes
by Andrew Bartlett
I've got a little challenge...
there is an attribute in AD call msDS-KeyVersionNumber. In AD this
operational attribute increments each time the unicodePwd attribute is
updated. It is typically a small integer, being the number of times
that the password has ever been changed.
In Samba4, we maintain this by looking into our replication metadata
(replPropertyMetaData), and returning a counter that is maintained
there.
I could maintain this manually from Samba's side (this is what we did in
the past), but I wanted to first check if there was something already
stored that I could convert.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
13 years, 6 months
