OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts
by Stuart Cherrington
Hi,
I sent this from my work email but its not appeared in the mailing list, am trying it from my hotmail acct to see if it's mroe successful.
Newbie post, let me
know if you need any other info, inside leg measurement, blood type
etc.
I wanted to restrict users to logging
onto specific hosts, I.e. to keep developers away from Production hosts etc. I
managed to do this on thread http://www.linuxquestions.org/questi...-users-789466/
using Sun's SDSCC.
We're now migrating to OpenLDAP and I need the same
functionality. I found the 'ismemberof' attribute does not appear to be part of
the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.
I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how
to create your own schema's. So I created a
file called
/etc/openldap/schema/memberof.schema and put in the following text:
# The
isMemberOf attribute associated with an entity is a
# collection of values
each of which identifies a group to
# which that entity
belongs.
attributetype ( 1.3.6.1.4.1.5923.1.5.1.1
NAME
'isMemberOf'
DESC 'identifiers for groups to which containing entity
belongs'
EQUALITY caseIgnoreMatch
SUBSTR
caseIgnoreSubstringsMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
Then I added this schema to the slapd.conf and restarted
ldap.
In the client, I've used the same 'ismemberof' line from my
previous thread, so it says:
nss_base_passwd
ou=people,dc=ldn,dc=sw,dc=com?sub?isMemberOf=cn=access,ou=auth,dc=ldn,dc=sw,dc=com
Having
tried MANY combination's of ?, ( and ) it won't work.
So, can anyone
comment on my schema, it right? is it complete sh!te?
Does the nss_apsswd
line need changing now I've moved to Openldap?
Comments on a postcard
please.
BTW - I've been looking at LDAP books to cure my insomnia, and
found http://www.amazon.co.uk/LDAP-Directo...2282151&sr=1-1. The
books.google.com site had some useful pages from this book but the review on
amazon is not great.
TIA
Stuart.
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now
13 years, 7 months
LDAP/PAM First time
by Rus Foster
HI
I'm taking my first steps into setting up an OpenLDAP/PAM setup and
I've managed to get the server + client speaking but I think I might
of screwed up my schemas or got myself very confused with some
googling. Current setup
Centos 5.x latest
Server
[root@host-95-154-194-53 tmp]# rpm -qa | grep -i openldap
openldap-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
openldap-servers-2.3.43-3.el5
[root@host-95-154-194-53 tmp]# cat /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
logfile /var/log/openldap
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to *
by anonymous auth
by self write
by * read
database bdb
suffix "dc=damnvps,dc=com"
rootdn "cn=Manager,dc=damnvps,dc=com"
rootpw {SSHA}EcUcIEBYYT1VfVsHmbRsbLuGfctcZhUD
directory /var/lib/ldap
index objectClass eq
Imported ldif's (***** designates next file break)
File base.ldif
dn: dc=damnvps,dc=com
dc: damnvps
objectClass: top
objectClass: domain
dn: ou=Hosts,dc=damnvps,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
dn: ou=Rpc,dc=damnvps,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=Services,dc=damnvps,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byuser,dc=damnvps,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
dn: ou=Mounts,dc=damnvps,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
dn: ou=Networks,dc=damnvps,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=damnvps,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=damnvps,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=Netgroup,dc=damnvps,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=Protocols,dc=damnvps,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=Aliases,dc=damnvps,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byhost,dc=damnvps,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
*****
File group.ldif
*****
dn: cn=rghf,ou=Group,dc=damnvps,dc=com
objectClass: posixGroup
objectClass: top
cn: rghf
userPassword: {crypt}x
gidNumber: 500
*****
File passwd.ldif
****
dn: uid=rghf,ou=People,dc=damnvps,dc=com
uid: rghf
cn: rghf
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$I6nmZtvf$tbQl9rwZ0qK01i.im9c5l0
shadowLastChange: 14733
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/rghf
I imported them with
ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/passwd.ldif-x
ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/passwd.ldif -x
ldapadd -D "cn=Manager,dc=damnvps,dc=com" -W -f /tmp/hosts.ldif -x
However trying to pull out anything via ldapsearch gives
root@host-95-154-194-53 tmp]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
What have I missed?
thanks
Rus
13 years, 7 months
RE: RPM spec file
by Joe Friedeggs
> On 15/04/2010 16:38, Joe Friedeggs wrote:
>>
>> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated.
>
> The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You
> could either use their pre-built RPMs or grab their spec file from the
> repository:
>
> http://ltb-project.org/wiki/documentation/openldap-rpm
>
> Jonathan
I googled the HECK out of that rpm.......how did I miss the LBT :-(
Thanks, Jonathan, that is just what I was looking for. And thanks to all others that provided input.
Joe
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
13 years, 7 months
Ldap authentication issue with PAM
by Indexer
I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log
May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1
I can succesfully search the ldap with this user binding to the ldap
ldapsearch -x -D "uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=chocolate,dc=lan> (default) with scope subtree
# filter: (uid=william)
# requesting: ALL
#
# william, Admin, chocolate.lan
dn: uid=william,ou=Admin,dc=chocolate,dc=lan
uid: william
cn: william
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/william
userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
gecos: William Brown,,,,
description: William Brown
shadowLastChange: 1
shadowMax: 0
shadowExpire: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Slapd when trying to authenticate shows this.
/usr/local/libexec/slapd -4 -d 256
slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=10 closed (connection lost)
conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="" method=128
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 closed (connection lost)
conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389)
conn=3 op=0 BIND dn="" method=128
conn=3 op=0 RESULT tag=97 err=0 text=
connection_input: conn=3 deferring operation: binding
conn=3 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 fd=12 closed (connection lost)
conn=1 fd=10 closed (connection lost)
Here is my /etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.srv.chocolate.lan
ldap_version 3
rootbinddn cn=Manager,dc=chocolate,dc=lan
scope one
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberuid
pam_password exop
nss_reconnect_tries 4 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep value to cap at
nss_reconnect_maxconntries 2 # how many tries before sleeping
nss_base_passwd ou=Admin,dc=chocolate,dc=lan?one
nss_base_passwd ou=People,dc=chocolate,dc=lan?one
nss_base_shadow ou=Admin,dc=chocolate,dc=lan?one
nss_base_shadow ou=People,dc=chocolate,dc=lan?one
nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
nss_base_group ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
ssl off
Here is /etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to attrs=userPassword
by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
by anonymous auth
by self write
by * none
access to *
by self write
by users read
database bdb
suffix "dc=chocolate,dc=lan"
rootdn "cn=Manager,dc=chocolate,dc=lan"
rootpw {SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
directory /var/db/openldap-data
index objectClass eq
index uid eq
password-hash {SSHA}
Here is the /etc/openldap/ldap.conf from both the client and server
BASE dc=chocolate,dc=lan
URI ldap://ldap.srv.chocolate.lan
Any help with this would be greatly appreciated
William
13 years, 7 months
Re: RPM spec file
by Chris Jacobs
Side question: is there any difference between statically compiled in vs dynamic modules?
I'm most concerned about performance vs flexibility of replacing modules.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: Joe Friedeggs <friedeggs44(a)hotmail.com>
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Mon May 03 11:49:47 2010
Subject: Re: RPM spec file
Le 03/05/2010 19:17, Joe Friedeggs a écrit :
>
>
>
>>> On 15/04/2010 16:38, Joe Friedeggs wrote:
>>>>
>>>> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated.
>>>
>>> The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You
>>> could either use their pre-built RPMs or grab their spec file from the
>>> repository:
>>>
>>> http://ltb-project.org/wiki/documentation/openldap-rpm
>>>
>>> Jonathan
>>
>
> I pulled down the openldap RPM from that site. It seems there are no modules included in the package (syncprov, rwm, ppolicy, etc.). Where would one obtain the modules that coincide with this package?
According to the SPEC file, all overlays are compiled in :
> ./configure --enable-ldap --enable-debug --prefix=%{ldapserverdir} --libdir=%{ldapserverdir}/%{_lib} --with-tls --with-cyrus-sasl --enable-spasswd --enable-overlays --enable-modules
However, they are statically compiled in, not as dynamic modules in
separate files, which is maybe what you're expecting?
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
13 years, 7 months
Group based automounting.
by Todd Smith
Hey all,
We are attempting to provision our assets out based on group membership and I am trying to figure out a way to use openldap/automount (via the rfc2307 based schema) to do so.
An example would be userX is part of groupY and groupY can automount nfsExport_1.
In this scenario only members of groupY can see nfsExport1 when they login.
I'm sure this is possible *somehow* I just haven't come across any information on the net that has given me the final key to solving this one. I am prominently interested in doing this with the rfc2307 schema however if it is only possible with the autofs schema I could use that as well.
Many thanks for any input,
Todd Smith
Head of Information Technology
soho vfx | T.O.
99 atlantic ave. suite 303
toronto ontario m6k 3j8
tel: 416.516.7863
13 years, 7 months