openldap-technical June 2010

openldap-technical@openldap.org

104 participants
113 discussions

ldapsearch -w "password" only check first 8 words ?
by shyuejyh.tw 08 Jun '10

08 Jun '10

Hi Everyone: i have a question , how can i change ldapsearch command to check password more than 8 words? my openldap is 2.4.11 (Debian/Lenny) when i use freeradius 2.0.4 to authentication a account, my password is 12345678 , than i type 123456789 , Pass ..... this is radius's log: rlm_ldap: login attempt by "amo" with password "123456789" rlm_ldap: user DN: uid=amo,dc=hello,dc=com rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=amo,dc=hello,dc=com/123456789 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user amo authenticated succesfully ++[ldap] returns ok than i try use ldapsearch search a user (still use password 123456789) ldapsearch -x -b "dc=hello,dc=com" -D "uid=amo,dc=hello,dc=com" -W -h localhost -LLL uid=jojo Enter LDAP Password: pass than find user information. dn: uid=jojo,dc=hello,dc=com shadowLastChange: 123123 loginShell: /bin/csh gidNumber: 102 homeDirectory: /home/jojo uidNumber: 1002 i guess ldapsearch command just check first 8 words, is this a bug or change something can fix it ? thanks a lot

2 1

Can't add attribute (error 65)
by Dan OReilly 08 Jun '10

08 Jun '10

Using the following slapd configuration, I can't add an attribute value to an existing user: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/ppolicy.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args TLSCipherSuite HIGH:MEDIUM TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key.pem access to attrs=userPassword by * auth access to * by * read ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=psccos,dc=com" rootdn "cn=Manager,dc=psccos,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw xxxxxxxx # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq Below you can see the ldapmodify command that fails, and below that, the file that contains the modifications: $ sudo ldapmodify -w cowabunga -D "cn=Manager,dc=psccos,dc=com" -f /home/oreilly/mod.ldif modifying entry "cn=Renee Walker,ou=people,dc=psccos,dc=com" ldap_modify: Object class violation (65) additional info: attribute 'pwdInHistory' not allowed $ cat /home/oreilly/mod.ldif dn: cn=Renee Walker,ou=people,dc=psccos,dc=com changetype: modify add: pwdInHistory pwdInHistory: 6 $ Any idea why this behavior occurs? ------ +-------------------------------+----------------------------------------+ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer | world: those who understand binary | | Process Software | and those who don't." | | http://www.process.com | | +-------------------------------+----------------------------------------+

2 1

OpenLDAP configuration for ldap-group authentication on Apache2.x
by Loren Cahlander 08 Jun '10

08 Jun '10

Hello folks, I am working with the following configuration under Ubuntu: ||/ Name Version Description +++-=================================-====================================-============================================ ii apache2 2.2.9-7ubuntu3.6 Apache HTTP Server metapackage ii apache2-doc 2.2.9-7ubuntu3.6 Apache HTTP Server documentation ii apache2-mpm-prefork 2.2.9-7ubuntu3.6 Apache HTTP Server - traditional non-threade ii apache2-utils 2.2.9-7ubuntu3.6 utility programs for webservers ii apache2.2-common 2.2.9-7ubuntu3.6 Apache HTTP Server common files ii ldap-account-manager 2.3.0-1 webfrontend for managing accounts in an LDAP ii ldap-utils 2.4.11-0ubuntu6.2 OpenLDAP utilities ii libldap-2.4-2 2.4.11-0ubuntu6.2 OpenLDAP libraries ii slapd 2.4.11-0ubuntu6.2 OpenLDAP server (slapd) ii subversion 1.5.1dfsg1-1ubuntu2.1 Advanced version control system ii subversion-tools 1.5.1dfsg1-1ubuntu2.1 Assorted tools related to Subversion And need to have groups being both posixGroup and groupOfUniqueNames. Far below is my configuration. If I try loading a group with with following: > dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org > gidNumber: 9999 > objectClass: posixGroup > objectClass: groupOfUniqueNames > uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org > cn: my-dba I get the following error: > ldap_add: Object class violation (65) > additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames) Does anyone have a suggestion for how to deal with this error? I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group". Thank you, Loren Installing LDAP LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine. sudo apt-get install slapd ldap-utils ldap-account-manager ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif vi /home/exist/db.ldif and insert the following listing: 01. ########################################################### 02. # DATABASE SETUP 03. ########################################################### 04. 05. # Load modules for database type 06. dn: cn=module{0},cn=config 07. objectClass: olcModuleList 08. cn: module{0} 09. olcModulePath: /usr/lib/ldap 10. olcModuleLoad: {0}back_hdb 11. 12. # Create directory database 13. dn: olcDatabase={1}hdb,cn=config 14. objectClass: olcDatabaseConfig 15. objectClass: olcHdbConfig 16. olcDatabase: {1}hdb 17. olcDbDirectory: /var/lib/ldap 18. olcSuffix: dc=exist-db,dc=org 19. olcRootDN: cn=admin,dc=exist-db,dc=org 20. olcRootPW: 1234 21. olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none 22. olcAccess: {1}to dn.base="" by * read 23. olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read 24. olcLastMod: TRUE 25. olcDbCheckpoint: 512 30 26. olcDbConfig: {0}set_cachesize 0 2097152 0 27. olcDbConfig: {1}set_lk_max_objects 1500 28. olcDbConfig: {2}set_lk_max_locks 1500 29. olcDbConfig: {3}set_lk_max_lockers 1500 30. olcDbIndex: uid pres,eq 31. olcDbIndex: cn,sn,mail pres,eq,approx,sub 32. olcDbIndex: objectClass eq 33. 34. 35. ########################################################### 36. # DEFAULTS MODIFICATION 37. ########################################################### 38. # Some of the defaults need to be modified in order to allow 39. # remote access to the LDAP config. Otherwise only root 40. # will have administrative access. 41. 42. dn: cn=config 43. changetype: modify 44. delete: olcAuthzRegexp 45. 46. dn: olcDatabase={-1}frontend,cn=config 47. changetype: modify 48. delete: olcAccess 49. 50. dn: olcDatabase={0}config,cn=config 51. changetype: modify 52. add: olcRootPW 53. olcRootPW: {CRYPT}7hzU8RaZxaGi2 54. 55. dn: olcDatabase={0}config,cn=config 56. changetype: modify 57. delete: olcAccess Note Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password. sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif sudo vi /home/exist/base.ldif and insert the following: 01. dn: dc=exist-db,dc=org 02. objectClass: dcObject 03. objectClass: organization 04. o: exist-db.org 05. dc: exist-db 06. description: Tree root 07. 08. dn: cn=admin,dc=exist-db,dc=org 09. objectClass: simpleSecurityObject 10. objectClass: organizationalRole 11. cn: admin 12. userPassword: admin123 13. description: LDAP administrator 14. 15. dn: ou=Users,dc=exist-db,dc=org 16. objectClass: organizationalUnit 17. ou: Users 18. 19. dn: ou=Groups,dc=exist-db,dc=org 20. objectClass: organizationalUnit 21. ou: Groups 22. 23. dn: uid=admin,ou=Users,dc=exist-db,dc=org 24. sn: Administrator 25. uidNumber: 1 26. gidNumber: 1 27. objectClass: person 28. objectClass: organizationalPerson 29. objectClass: inetOrgPerson 30. objectClass: posixAccount 31. uid: admin 32. cn: admin 33. homeDirectory: / 34. 35. dn: uid=guest,ou=Users,dc=exist-db,dc=org 36. sn: guest 37. uidNumber: 2 38. gidNumber: 300 39. objectClass: person 40. objectClass: organizationalPerson 41. objectClass: inetOrgPerson 42. objectClass: posixAccount 43. uid: guest 44. cn: guest 45. homeDirectory: /guest 46. 47. dn: cn=dba,ou=Groups,dc=exist-db,dc=org 48. objectClass: posixGroup 49. description: dba 50. gidNumber: 1 51. cn: dba 52. 53. dn: cn=guest,ou=Groups,dc=exist-db,dc=org 54. objectClass: posixGroup 55. description: guest 56. gidNumber: 300 57. cn: guest 58. memberUid: admin 59. 60. dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org 61. objectClass: posixGroup 62. description: SVN Update 63. gidNumber: 400 64. cn: svn-update 65. 66. dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org 67. objectClass: posixGroup 68. description: SVN Read Only 69. gidNumber: 500 70. cn: svn-readonly 71. 72. dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org 73. objectClass: posixGroup 74. description: System backup page access. 75. gidNumber: 600 76. cn: backup-access Note Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location.. You can now load this configuration file into the LDAP database with the ldapadd command.: sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif When prompted for the password, use "1234" unless you changed the value in db.ldif.

4 6

for help about extend schema with java
by tong cui 07 Jun '10

07 Jun '10

Hi, I'm testing API "JLDAP - LDAP Class Libraries will be Java" with the versionof the openldap 2.4.12. I configured openldap and executed theExtendSchema.java example then I got the following error: Error: LDAPException: Invalid Attribute Syntax (21) Invalid Attribute SyntaxLDAPException: Server Message: attributeTypes: value #0 invalid per syntaxLDAPException: Matched DN:at (Unknown Source)at (Unknown Source) The syntax generated for the API LDAPAttributeSchema is the following one:( 2.5.4.130 NAME 'cesmic' DESC 'testing' SYNTAX1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Any idea on what's going on? Thank you very much~ I am looking for your reply~ Yours Tom The ExtendSchema.java example is as follows ========================================================//Sample code file: var/ndk/webBuildengine/tmp/viewable_samples/f91a68eb-ad37-4526-92b1-b1938f37b871/ExtendSchema.java//Warning: This code has been marked up for HTML/******************************************************************************* * $Novell: ExtendSchema.java,v 1.12 2002/07/29 21:28:12 $ * Copyright (c) 2000, 2001 Novell, Inc. All Rights Reserved. * * THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND * TREATIES. USE AND REDISTRIBUTION OF THIS WORK IS SUBJECT TO THE LICENSE * AGREEMENT ACCOMPANYING THE SOFTWARE DEVELOPMENT KIT (SDK) THAT CONTAINS * THIS WORK. PURSUANT TO THE SDK LICENSE AGREEMENT, NOVELL HEREBY GRANTS TO * DEVELOPER A ROYALTY-FREE, NON-EXCLUSIVE LICENSE TO INCLUDE NOVELL'S SAMPLE * CODE IN ITS PRODUCT. NOVELL GRANTS DEVELOPER WORLDWIDE DISTRIBUTION RIGHTS * TO MARKET, DISTRIBUTE, OR SELL NOVELL'S SAMPLE CODE AS A COMPONENT OF * DEVELOPER'S PRODUCTS. NOVELL SHALL HAVE NO OBLIGATIONS TO DEVELOPER OR * DEVELOPER'S CUSTOMERS WITH RESPECT TO THIS CODE. * * $name: ExtendSchema.java * $description: ExtendSchema.java demonstrates how to extend directory schema. * It is used to add a new attribute definition, a * new effective object class definition, and a new auxiliary * class definition to the directory schema . Then it adds a * test objec to the directory and add the new auxiliary class * to the test object to show how to apply an auxiliary class to * the test object. * To extend directory schema, the user must have Admin * equivalent rights. Novell recommend that users use ICE and * ldif file ( Import, Conversion, and Export ) to modify schema * instead of embedding schema extension commands within program * files. ******************************************************************************/ import com.novell.ldap.*; import java.io.UnsupportedEncodingException; public class ExtendSchema { // Create a new LDAPAttributeSchema object static LDAPAttributeSchema newAttrType = new LDAPAttributeSchema( new String[] {"testAttribute"}, // name of the new attr "2.16.840.1.113719.1.186.4.1", // OID of the new attr "Test attr definition", // desc of the new attr "1.3.6.1.4.1.1466.115.121.1.15" , // case-ignore string false, // not single-valued null, // no super attr type false, // not obsolete null, // no equality matching null, // no ordering matching null, // no substring matching false, // not a collective attr true, // user modifiable attr LDAPAttributeSchema.USER_APPLICATIONS)// user applications // Create a new effective class object static LDAPObjectClassSchema newObjClass = new LDAPObjectClassSchema( new String[] {"testClass"}, // name of the new obj class "2.16.840.1.113719.1.186.6.1", // OID of effective class new String [] {"top"}, // 'top' is super class "Test class definition", // optional description new String [] {"cn", "title"}, // required attribute(s) null, // optional attribute(s) LDAPObjectClassSchema.STRUCTURAL, // effective class false); // not obsolete // Create a new auxiliary class object static LDAPObjectClassSchema newAuxClass = new LDAPObjectClassSchema( new String[] {"testAuxClass"}, // name of the new obj class "2.16.840.1.113719.1.186.6.2", // OID of this auxiliary class new String [] {"top"}, // 'top' is super class "Test auxilliary class definition", // optional description null, // required attribute(s) new String [] {"testAttribute"}, // optional attribute LDAPObjectClassSchema.AUXILIARY, // auxiliary class false); // not obsolete public static void main( String[] args ) { if (args.length != 4) { usage(); System.exit(1); } int ldapPort = LDAPConnection.DEFAULT_PORT; int ldapVersion = LDAPConnection.LDAP_V3; String ldapHost = args[0]; String loginDN = args[1]; String password = args[2]; String testObjDN = "cn=testObject," + args[3]; LDAPConnection conn = new LDAPConnection(); // Add Novell eDirectory specific flags for attribute definition newAttrType.setQualifier( "X-NDS_PUBLIC_READ", new String [] {"1"}); newAttrType.setQualifier( "X-NDS_NOT_SCHED_SYNC_IMMEDIATE", new String [] {"1"}); // Add Novell eDirectory specific flags for object class definition newObjClass.setQualifier( "X-NDS_NAMING", new String [] {"cn"}); newObjClass.setQualifier( "X-NDS_CONTAINMENT", new String [] {"organization", "organizationalUnit", "domain", "locality", "treeRoot"}); try { // connect to the server conn.connect( ldapHost, ldapPort ); // bind to the server conn.bind( ldapVersion, loginDN, password.getBytes("UTF8") ); /* * Adding schema extensions includes: * 1. add a new attribute definition to directory schema * 2. add a new object class definition to directory schema * 3. add a new auxiliary class definition to directory schema */ System.out.println( "\tAdding test schema extensions..."); // add schema extensions if ( extendSchema( conn ) ) { // add a test object to the directory tree if ( addTestObject( conn, testObjDN ) ) { // add the auxiliary class to the test object addAuxClassToTestObj( conn, testObjDN ); } } /* * Removing schema extensions consists of: * 1. remove auxiliary class definition from schema * 2. remove object class definition from schema * 3. remove attribute definition from schema */ // remove auxiliary class from test object if ( removeAuxClassFromTestObj( conn, testObjDN ) ) { // remove test object if ( removeTestObj( conn, testObjDN ) ) { System.out.println( "\tRemoving test schema extensions..."); unExtendSchema( conn ); } } // disconnect with the server conn.disconnect(); } catch( LDAPException e ) { System.out.println( "Error: " + e.toString() ); } catch( UnsupportedEncodingException e) { System.out.println( "Error: " + e.toString() ); } System.exit(0); } public static void usage() { System.err.println("Usage: java ExtendSchema <host name>" + " <login dn> <password> <test container DN>"); System.err.println("Example: java ExtendSchema Acme.com" + " \"cn=admin,o=Acme\" secret \"o=Acme\""); } // add schema extensions public static boolean extendSchema( LDAPConnection conn ) { boolean status = true; try { // Add attribute definition conn.modify( conn.getSchemaDN(), new LDAPModification(LDAPModification.ADD, newAttrType)); System.out.println("\tAdded attribute schema extensions successfully"); // Add object definitions LDAPModification[] modifications = new LDAPModification[2]; modifications[0] = new LDAPModification(LDAPModification.ADD, newObjClass); modifications[1] = new LDAPModification(LDAPModification.ADD, newAuxClass); conn.modify( conn.getSchemaDN(), modifications ); System.out.println( "\tAdded object schema extensions successfully."); } catch( LDAPException e ) { System.out.println( "\tFailed to add schema extensions."); System.out.println( "Error: " + e.toString() ); status = false; } return status; } // remove schema extensions public static boolean unExtendSchema( LDAPConnection conn ) { boolean status = true; try { // Remove auxiliary class definition // Add attribute definition LDAPModification[] modifications = new LDAPModification[2]; modifications[1] = new LDAPModification(LDAPModification.DELETE, newAuxClass); modifications[0] = new LDAPModification(LDAPModification.DELETE, newObjClass); conn.modify( conn.getSchemaDN(), modifications); System.out.println( "\tSuccessfully removed the object schema extensions"); conn.modify( conn.getSchemaDN(), new LDAPModification(LDAPModification.DELETE, newAttrType)); System.out.println( "\tSuccessfully removed the attribute schema extensions"); } catch( LDAPException e ) { System.out.println( "\tFailed to remove the schema extensions." ); System.out.println( "Error: " + e.toString() ); status = false; } return status; } // add test object public static boolean addTestObject( LDAPConnection conn, String dn ) { boolean status = true; LDAPAttribute attribute = null; LDAPAttributeSet attributeSet = new LDAPAttributeSet(); attribute = new LDAPAttribute("objectclass",new String []{"testClass"}); attributeSet.add( attribute ); attribute = new LDAPAttribute( "cn", new String []{ "testObject", "Test Object" }); attributeSet.add( attribute ); attribute = new LDAPAttribute( "title", new String []{ "testManager", "Test Manager" }); attributeSet.add( attribute ); LDAPEntry newEntry = new LDAPEntry( dn, attributeSet ); try { conn.add( newEntry ); System.out.println( "\t\tAdded test object successfully."); } catch( LDAPException e ) { System.out.println( "\t\tFailed to add test object." ); System.out.println( "Error: " + e.toString() ); status = false; } return status; } // remove test object public static boolean removeTestObj( LDAPConnection conn, String dn ) { boolean status = true; try { conn.delete( dn ); System.out.println("\t\tRemoved test object successfully."); } catch( LDAPException e ) { System.out.println("Failed to remove test object." ); System.out.println( "Error: " + e.toString() ); status = false; } return status; } // add auxiliary class to test object public static boolean addAuxClassToTestObj( LDAPConnection conn, String dn ) { boolean status = true; LDAPModification[] mods = new LDAPModification[2]; LDAPAttribute testAuxClass = new LDAPAttribute( "objectclass", "testAuxClass" ); mods[0] = new LDAPModification( LDAPModification.ADD, testAuxClass); LDAPAttribute testAttr = new LDAPAttribute("testAttribute", "pagerUser"); mods[1] = new LDAPModification( LDAPModification.ADD, testAttr) ; try { conn.modify( dn, mods); System.out.println( "\t\tAdded auxiliary class to" + " test object successfully."); } catch( LDAPException e ) { System.out.println( "\t\tFailed to add auxiliary" + " class to test object."); System.out.println( "Error: " + e.toString() ); status = false; } return status; } // remove auxiliary class from test object public static boolean removeAuxClassFromTestObj( LDAPConnection conn, String dn ) { boolean status = true; LDAPModification[] mods = new LDAPModification[2]; LDAPAttribute testAuxClass = new LDAPAttribute( "objectclass", "testAuxClass" ); mods[0] = new LDAPModification( LDAPModification.DELETE, testAuxClass); LDAPAttribute testAttr = new LDAPAttribute("testAttribute", "pagerUser"); mods[1] = new LDAPModification( LDAPModification.DELETE, testAttr); try { conn.modify( dn, mods ); System.out.println( "\t\tRemoved auxiliary class from test" + " object successfully."); } catch( LDAPException e ) { System.out.println( "\t\tFailed to remove auxiliary class from" + " test object." ); System.out.println( "Error: " + e.toString() ); status = false; } return status; } } _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:…

1 0

LDAP C API
by Покотиленко Костик 07 Jun '10

07 Jun '10

Did this message hit the list? Hi there, I'm writing GTK application for managing LDAP directory, a kind of GTK variant of phpldapadmin. As for now I'm able to browse directory, objects' probepries and their values. What is not clear is how to figure out the RDN and Required property, and Structural value. How it is done? -- Покотиленко Костик <casper(a)meteor.dp.ua>

2 4

Pam password authentication
by Indexer 07 Jun '10

07 Jun '10

Recently, i have hit a rather unique, and annoying, error with ldap. it seems that using pam with ldap, allows *any* password as valid. Im not really sure what i have done here, and any help would be apprecitaed. find my /etc/ldap.conf attached, as well as pam.d/ssh etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.chocolate.lan ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub ssl on ssl start_tls tls_cacert /usr/local/etc/openldap/keys/cacert.crt tls_checkpeer no pam.d/sshd auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth sufficient pam_unix.so no_warn try_first_pass account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so session required pam_permit.so session optional /usr/local/lib/pam_ldap.so password sufficient /usr/local/lib/pam_ldap.so no_warn use_athtok use_first_pass password sufficient pam_unix.so no_warn try_first_pass

5 6

ldap with squid auth helper
by Gerardo Herzig 07 Jun '10

07 Jun '10

Hi all. Im triyng to use squid with the squid_ldap_group auth helper. The schema looks like o=Company | -Groups |-ProxyUsers |-Managers |-Sales Managers and Sales are OrganizationalUnit, ProxyUsers is GroupofUniqueNames Each entry of Managers and Sales inherits from PosixAccount and InetOrgPerson ProxyUsers entry for the user foo is: UniqueMember: uid=foo,ou=Managers,o=Company UniqueMember: uid=anotherfoo,ou=Sales,o=Company Inside the ProxyUsers can be people from Managers, Sales, and so. Im faliling to test squid_ldap_group from command line (i think the filters part) 1) Is there a way to test if the user foo is part of the ProxyUsers group? 2) It is possible to tell squid_ldap_group to look for uid=foo in Manager AND Sales, and if there is one try to use it? Like if the filter could be "(uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)"? I hope to be clear with the question. Thanks! Gerardo

2 1

Scaling bottom-up - best practices?
by Jan Lühr 07 Jun '10

07 Jun '10

Hello, for some time now, we're using openldap 2.4.11 on debian lenny and everything is fine - but: We've to scale. Up to now our root-dn is dc=abc - our new root-dn ought to be: dc=xyz, having a subtree dc=abc,dc=xyz The root-dn is set in some application's configs as base dn, furthermore, it's referenced in ldap-entries (dynamic overlay-groups). Basically I can think of two strategies. a) Change the root-dn within the directory and in all applications depending on it (con: error prone - pro: clean result) b) Install a new server, proxy all requests to the old instance, removing dc=xyz on queries, add dc=xyz on responses. (con: complexity, pro: no changes in apps / Information depending on dc=abc) Have you had similar problems? What did you do to solve 'em? What strategy do you recommend? Thanks, Keep smiling yanosz

3 2

how to get DIT structure info
by owen nirvana 07 Jun '10

07 Jun '10

hi, I have a question. I want to manage some data by OpenLDAP, and I hope show them by tree structure when I list. So I want to get the DIT structure info and create the corresponding nodes in my treeview. so , how to do? gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

3 2

Bidirectional sync using openldap and active directory
by Benjamin MONTHOUEL 07 Jun '10

07 Jun '10

Hi, I'd like to know which method is recommended by openldap.org to perform a bidirectional sync with Microsoft Active Directory. This method has to notice that users changed their password by themselves. Kerberos token ??? Thanks for any information. -- Benjamin MONTHOUËL Systems Administrator Assistant NETASQ France - We Secure IT Villeneuve d'Ascq

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2010