May 2010 - openldap-technical

OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts

by Stuart Cherrington

Hi, I sent this from my work email but its not appeared in the mailing list, am trying it from my hotmail acct to see if it's mroe successful. Newbie post, let me know if you need any other info, inside leg measurement, blood type etc. I wanted to restrict users to logging onto specific hosts, I.e. to keep developers away from Production hosts etc. I managed to do this on thread http://www.linuxquestions.org/questi...-users-789466/ using Sun's SDSCC. We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43. I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a file called /etc/openldap/schema/memberof.schema and put in the following text: # The isMemberOf attribute associated with an entity is a # collection of values each of which identifies a group to # which that entity belongs. attributetype ( 1.3.6.1.4.1.5923.1.5.1.1 NAME 'isMemberOf' DESC 'identifiers for groups to which containing entity belongs' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) Then I added this schema to the slapd.conf and restarted ldap. In the client, I've used the same 'ismemberof' line from my previous thread, so it says: nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?isMemberOf=cn=access,ou=auth,dc=ldn,dc=sw,dc=com Having tried MANY combination's of ?, ( and ) it won't work. So, can anyone comment on my schema, it right? is it complete sh!te? Does the nss_apsswd line need changing now I've moved to Openldap? Comments on a postcard please. BTW - I've been looking at LDAP books to cure my insomnia, and found http://www.amazon.co.uk/LDAP-Directo...2282151&sr=1-1. The books.google.com site had some useful pages from this book but the review on amazon is not great. TIA Stuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now

13 years, 7 months

4
6
0 / 0

LDAP/PAM First time

by Rus Foster

HI I'm taking my first steps into setting up an OpenLDAP/PAM setup and I've managed to get the server + client speaking but I think I might of screwed up my schemas or got myself very confused with some googling. Current setup Centos 5.x latest Server [root@host-95-154-194-53 tmp]# rpm -qa | grep -i openldap openldap-2.3.43-3.el5 openldap-clients-2.3.43-3.el5 openldap-servers-2.3.43-3.el5 [root@host-95-154-194-53 tmp]# cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema logfile /var/log/openldap allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args access to * by anonymous auth by self write by * read database bdb suffix "dc=damnvps,dc=com" rootdn "cn=Manager,dc=damnvps,dc=com" rootpw {SSHA}EcUcIEBYYT1VfVsHmbRsbLuGfctcZhUD directory /var/lib/ldap index objectClass eq Imported ldif's (***** designates next file break) File base.ldif dn: dc=damnvps,dc=com dc: damnvps objectClass: top objectClass: domain dn: ou=Hosts,dc=damnvps,dc=com ou: Hosts objectClass: top objectClass: organizationalUnit dn: ou=Rpc,dc=damnvps,dc=com ou: Rpc objectClass: top objectClass: organizationalUnit dn: ou=Services,dc=damnvps,dc=com ou: Services objectClass: top objectClass: organizationalUnit dn: nisMapName=netgroup.byuser,dc=damnvps,dc=com nismapname: netgroup.byuser objectClass: top objectClass: nisMap dn: ou=Mounts,dc=damnvps,dc=com ou: Mounts objectClass: top objectClass: organizationalUnit dn: ou=Networks,dc=damnvps,dc=com ou: Networks objectClass: top objectClass: organizationalUnit dn: ou=People,dc=damnvps,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=damnvps,dc=com ou: Group objectClass: top objectClass: organizationalUnit dn: ou=Netgroup,dc=damnvps,dc=com ou: Netgroup objectClass: top objectClass: organizationalUnit dn: ou=Protocols,dc=damnvps,dc=com ou: Protocols objectClass: top objectClass: organizationalUnit dn: ou=Aliases,dc=damnvps,dc=com ou: Aliases objectClass: top objectClass: organizationalUnit dn: nisMapName=netgroup.byhost,dc=damnvps,dc=com nismapname: netgroup.byhost objectClass: top objectClass: nisMap ***** File group.ldif ***** dn: cn=rghf,ou=Group,dc=damnvps,dc=com objectClass: posixGroup objectClass: top cn: rghf userPassword: {crypt}x gidNumber: 500 ***** File passwd.ldif **** dn: uid=rghf,ou=People,dc=damnvps,dc=com uid: rghf cn: rghf objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$I6nmZtvf$tbQl9rwZ0qK01i.im9c5l0 shadowLastChange: 14733 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/rghf I imported them with ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/passwd.ldif-x ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/passwd.ldif -x ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/hosts.ldif -x However trying to pull out anything via ldapsearch gives root@host-95-154-194-53 tmp]# ldapsearch -x # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 What have I missed? thanks Rus

13 years, 7 months

2
1
0 / 0

RE: RPM spec file

by Joe Friedeggs

> On 15/04/2010 16:38, Joe Friedeggs wrote: >> >> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated. > > The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You > could either use their pre-built RPMs or grab their spec file from the > repository: > > http://ltb-project.org/wiki/documentation/openldap-rpm > > Jonathan I googled the HECK out of that rpm.......how did I miss the LBT :-( Thanks, Jonathan, that is just what I was looking for. And thanks to all others that provided input. Joe _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390706/direct/01/

13 years, 7 months

3
3
0 / 0

Ldap authentication issue with PAM

by Indexer

I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 I can succesfully search the ldap with this user binding to the ldap ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=chocolate,dc=lan> (default) with scope subtree # filter: (uid=william) # requesting: ALL # # william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/william userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= gecos: William Brown,,,, description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd when trying to authenticate shows this. /usr/local/libexec/slapd -4 -d 256 slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) conn=0 op=0 BIND dn="" method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) conn=1 op=0 BIND dn="" method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) conn=2 op=0 BIND dn="" method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) conn=3 op=0 BIND dn="" method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost) Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr no pam_member_attribute memberuid pam_password exop nss_reconnect_tries 4 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one nss_base_passwd ou=People,dc=chocolate,dc=lan?one nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one nss_base_shadow ou=People,dc=chocolate,dc=lan?one nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one ssl off Here is /etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb access to attrs=userPassword by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write by anonymous auth by self write by * none access to * by self write by users read database bdb suffix "dc=chocolate,dc=lan" rootdn "cn=Manager,dc=chocolate,dc=lan" rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm directory /var/db/openldap-data index objectClass eq index uid eq password-hash {SSHA} Here is the /etc/openldap/ldap.conf from both the client and server BASE dc=chocolate,dc=lan URI ldap://ldap.srv.chocolate.lan Any help with this would be greatly appreciated William

13 years, 7 months

2
1
0 / 0

Re: RPM spec file

by Chris Jacobs

Side question: is there any difference between statically compiled in vs dynamic modules? I'm most concerned about performance vs flexibility of replacing modules. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org> To: Joe Friedeggs <friedeggs44(a)hotmail.com> Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Mon May 03 11:49:47 2010 Subject: Re: RPM spec file Le 03/05/2010 19:17, Joe Friedeggs a écrit : > > > >>> On 15/04/2010 16:38, Joe Friedeggs wrote: >>>> >>>> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated. >>> >>> The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You >>> could either use their pre-built RPMs or grab their spec file from the >>> repository: >>> >>> http://ltb-project.org/wiki/documentation/openldap-rpm >>> >>> Jonathan >> > > I pulled down the openldap RPM from that site. It seems there are no modules included in the package (syncprov, rwm, ppolicy, etc.). Where would one obtain the modules that coincide with this package? According to the SPEC file, all overlays are compiled in : > ./configure --enable-ldap --enable-debug --prefix=%{ldapserverdir} --libdir=%{ldapserverdir}/%{_lib} --with-tls --with-cyrus-sasl --enable-spasswd --enable-overlays --enable-modules However, they are statically compiled in, not as dynamic modules in separate files, which is maybe what you're expecting? Jonathan -- -------------------------------------------------------------- Jonathan Clarke - jonathan(a)phillipoux.net -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org -------------------------------------------------------------- This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

13 years, 7 months

1
0
0 / 0

Group based automounting.

by Todd Smith

Hey all, We are attempting to provision our assets out based on group membership and I am trying to figure out a way to use openldap/automount (via the rfc2307 based schema) to do so. An example would be userX is part of groupY and groupY can automount nfsExport_1. In this scenario only members of groupY can see nfsExport1 when they login. I'm sure this is possible *somehow* I just haven't come across any information on the net that has given me the final key to solving this one. I am prominently interested in doing this with the rfc2307 schema however if it is only possible with the autofs schema I could use that as well. Many thanks for any input, Todd Smith Head of Information Technology soho vfx | T.O. 99 atlantic ave. suite 303 toronto ontario m6k 3j8 tel: 416.516.7863

13 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2010