openldap-technical September 2010

openldap-technical@openldap.org

111 participants
113 discussions

Can't start replication
by Alister Forbes 06 Sep '10

06 Sep '10

All, My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs) I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below I've been struggling with this for days now.. can anyone give me a hint what I've messed up? Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting - ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral I think this is the behaviour you would expect when the server was a syncrepl slave, but these are supposed to be multi-mastered. Any help, greatfully received Alister output of ldapsearch: # {0}config, config dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmet hod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindme thod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersis t retry="5 5 300 5" timeout=1 Sep 3 14:08:59 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:08:59 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying (1 retries left) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 ACCEPT from IP=10.211.55.11:33025 (IP=0.0.0.0:389) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=1 UNBIND Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 ACCEPT from IP=10.211.55.8:33001 (IP=0.0.0.0:389) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.8 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=001 rc 49 retrying Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=1 UNBIND Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 ACCEPT from IP=10.211.55.11:33027 (IP=0.0.0.0:389) Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=1 UNBIND Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 closed -- Alister Forbes TACSUNS _.|._.|._ Cisco Systems Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html

3 6

[Fwd: PAM not warning for password expiration]
by Dannie Obbink 06 Sep '10

06 Sep '10

-------- Forwarded Message -------- > From: Obbink, D. (Dannie) <dannie.obbink(a)vtspn.nl> > To: openldap-technical(a)openldap.org > Subject: PAM not warning for password expiration > Date: Thu, 22 Jul 2010 19:29:36 +0200 > > When users with an expired account try to log on to an application > making a bind using the user's own credentials, everything works as > expected; users cannot login, access gets denied. In the slapd > logging, the following message is displayed: > > Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an > expired password: 0 grace logins > > But when trying to log into PAM (ssh, su etc.), there is no warning > displayed the account is expired. The user is also allowed to login > normally. > > I've been Googling for a couple of days now, and can't really find the > culprit. > > I was especially interested in this thread: > http://www.openldap.org/lists/openldap-technical/201003/msg00197.html > > So, I've set pwdExpireWarning to 1 second less then pwdMaxAge. > > When I try to bind directly, such as with an ldapsearch, the logging > shows > > Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for > password expiry for uid=<user> = 4318121 seconds > > So, that seems to be correct. > But, when logging in via PAM, the log does not display the "setting > warning". > > <SNIP> > Thanks you for any responses, > Dannie Obbink Hello list, Well, I finally found a workaround which "works for me"; use SSSD (found in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6). SSSD, unlike pam_ldap, IS nice enough to warn me for impending password expiry. I found multiple bugs about this (really helps if you know what to search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and http://bugs.centos.org/view.php?id=4468&nbn=5 I just wanted to share with you all that this definitely looks like a pam_ldap bug. Sincerely, Dannie Obbink -------------------------Disclaimer------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht. -------------------------------------------------------------------

2 1

Password history configuration for ldap users.
by Meghanand Acharekar 06 Sep '10

06 Sep '10

Hello, I have configured openldap server on RHEL 5.4 I also want to enforce strong password policies for my ldap users. for which i configured pam module on each ldap client in following way. (/etc/pam.d/system-auth) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_tally.so onerr=fail deny=5 unlock_time=300 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \ reject_username password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0066 I am having following problems with my configuration. 1. Although configured password history (pam_unix.so remember =5) is not working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine. 2. I also observed that I can't change/set any users password as root user (using passwd username). Following is my ldap client configuration file (ldap.conf). base dc=mycomp,dc=com bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm pam_check_host_attr pam_password md5 ssl no timelimit 120 tls_cacertdir /etc/openldap/cacerts uri ldap://10.0.119.36 For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod. passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd but #getent passwd show me the username. Thanks in advance. -- Regards, Meghanand N. Acharekar " A proud GNU\Linux User " Reg Linux User #397975 ------------------------------------------ I was born free! No Gates and Windows can restrict my Freedom !!!

2 2

solaris 10 as client to openldap
by Isaac Hailperin 03 Sep '10

03 Sep '10

Hi, I am trying to set up an solaris 10 ldap client to work with an openldap server. The server serves the following profile: dn: cn=solarisbox,ou=profile,dc=acme,dc=de bindTimeLimit: 10 credentialLevel: anonymous cn: solarisbox profileTTL: 43200 searchTimeLimit: 30 defaultSearchScope: sub followReferrals: TRUE authenticationMethod: simple defaultSearchBase: dc=acme,dc=de objectClass: top objectClass: DUAConfigProfile defaultServerList: 192.168.0.5 On the solaris box, I issue: ldapclient -v init -a profileName=solarisbox 192.168.0.5 Parsing profileName=solarisbox Arguments parsed: profileName: solarisbox defaultServerList: 192.168.0.5 Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: ldap not running findBaseDN: calling __ns_ldap_default_config() found 1 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=acme.de))" rootDN[0] dc=acme,dc=de found baseDN dc=acme,dc=de for domain acme.de Proxy DN: NULL Proxy password: NULL Credential level: 0 Authentication method: 1 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail [...] restart: milestone/name-services:default... success Error resetting system. Recovering old system settings. Stopping network services Stopping sendmail stop: sleep 100000 microseconds [...] top: network/ldap/client:default... restoring from maintenance state stop: network/ldap/client:default... failed: required constraint not met Stopping ldap failed with (1) Error (1) while stopping services during reset recover: stat(/var/ldap/restore/defaultdomain)=0 [...] I am not very familiar with solaris, so I just drop a few other things that I found that seemed related: cat /var/ldap/cachemgr.log [...] Thu Sep 2 17:02:19.4557 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found Thu Sep 2 17:02:19.4601 detachfromtty(): child failed (rc = 255). Thu Sep 2 17:32:56.9181 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log [...] I can confirm that /var/ldap/ldap_client_file does not exist. grep ldap /var/svc/log/* /var/svc/log/network-ldap-client:default.log:[ Sep 2 17:02:19 Executing start m ethod ("/lib/svc/method/ldap-client start") ] /var/svc/log/network-ldap-client:default.log:/usr/lib/ldap/ldap_cachemgr: failed . Please see syslog for details. /var/svc/log/svc.startd.log:Sep 2 17:32:57/458 ERROR: svc:/network/ldap/client: default: Method "/lib/svc/method/ldap-client start" failed with exit status 1. /var/svc/log/svc.startd.log:Sep 2 17:32:57/458: network/ldap/client:default fai led: transitioned to maintenance (see 'svcs -xv' for details) cat /var/adm/messages [...] Sep 2 17:32:56 unknown ldap_cachemgr[1134]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: No entry for 'NS_LDAP_BINDDN' found Sep 2 17:32:56 unknown ldap_cachemgr[1133]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255). Sep 2 17:32:57 unknown svc.startd[7]: [ID 652011 daemon.warning] svc:/network/ldap/client:default: Method "/lib/svc/method/ldap-client start" failed with exit status 1. [...] I had a look at another solaris 10 machine (which I did not set up). The file /var/ldap/ldap_client_file exists, but has no entry 'NS_LDAP_BINDDN'. Also, I can't find some sort of bindDN option to ldapclient, nor can I find an attribute of that kind for the profile. Any hints on how to get this working? Isaac

1 1

OID für caseExactIA5SubstringsMatch?
by Keutel, Jochen 02 Sep '10

02 Sep '10

Hello, there are 6 matching rules for IA5 strings: - caseExactIA5Match - caseIgnoreIA5Match - caseExactIA5SubstringsMatch - caseIgnoreIA5SubstringsMatch - caseExactIA5OrderingMatch - caseIgnoreIA5OrderingMatch Only three of them are defined in RFC4517: - caseExactIA5Match (1.3.6.1.4.1.1466.109.114.1) - caseIgnoreIA5Match (1.3.6.1.4.1.1466.109.114.2) - caseIgnoreIA5SubstringsMatch (1.3.6.1.4.1.1466.109.114.3) What are the OIDs for the other three matching rules? - in OpenLDAP - is there a standard? Regards, Jochen Keutel.

4 5

Re: custom hostname for openldap/sasl is not working
by Zaar Hai 02 Sep '10

02 Sep '10

On Thu, Sep 2, 2010 at 1:22 AM, Bill MacAllister <whm(a)stanford.edu> wrote: > > Simon Wilkinson discussed the problem on the Heimdal list. > > The problem is that both the client and the server must have a > matching idea of the service principal to use in establishing the > GSSAPI connection. > > The client will use ldap/ldap.uvm.edu, as that's the only name it > knows the server by. However, the server will end up using > ldap/hostname() and therefore the two won't match, and you'll get > these errors. So what sasl-host directive is good for? It does something in fact - if I enable it and set it to ldap.example.com, GSSAPI auth stop working with the same error. Also, I've tried to set server hostname to "ldap", and hostname --fqdn returned ldap.example.com, but this did not help either. -- Zaar

2 1

Re: Unix authentication in corporate AD
by Dan White 02 Sep '10

02 Sep '10

On 1/09/10 5:12 -0500, Dan White wrote: >On 01/09/10 12:05 -0400, Edsall, William (WJ) wrote: >>Hello, Just a few questions regarding authenticating OpenLDAP (centos >>5.4) to windows active directory. >> >>I'm able to bind, I've confirmed this by changing the bind password, and >>then the bind attempt fails. However I'm unable to authenticate. > >Could you clarify a few items? > >Are you binding directly to an OpenLDAP server or an Active Directory >Server? > >Which password are you changing, the user's password in Active Directory? > >>My attempt is always as follows: su: user blabla does not exist > >With regards to OpenLDAP, a successful bind is a success authentication. > >With something like su, your trouble may be related to a 3rd party PAM or >NSS module. How does su authenticate in your environment? On 02/09/10 10:25 -0400, Edsall, William (WJ) wrote: >Hello, > I am binding to an Active Directory server. > >When I say I change the password for testing, I'm changing the bind >password in the ldap.conf file. > >I believe PAM is using the ldap module: >passwd: files ldap >shadow: files ldap >group: files ldap > >The reason I used the binddn and bind password is because I know our >active directory setup does not allow anonymous binding. So as I understand it, you are not using the OpenLDAP server, but the OpenLDAP libraries in conjunction with a PAM ldap module. Do you know which PAM module you are using? The PADL one? If so, you may want to pose this problem on the pamldap(a)padl.com mailing list, or you could post a sanitized copy of your ldap configuration here to see if someone might recognize a problem. A general trouble shooting tip would be to find out what query your PAM ldap module is submitting to the Active Directory server, and attempting to reproduce it with an ldapwhoami command, and playing with the base/scope/filter settings until you get the expected response. -- Dan White

1 0

Unix authentication in corporate AD
by Edsall, William (WJ) 02 Sep '10

02 Sep '10

Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory. I'm able to bind, I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate. My attempt is always as follows: su: user blabla does not exist No errors end up in the messages log. My question is .. could this be because the active directory I'm trying to authenticate against doesn't have any windows services for unix installed? Should that even matter if I can bind? _______________________________________ William J. Edsall

3 2

About Installation
by Murat Can Tuna 02 Sep '10

02 Sep '10

Hi, On every ubuntu introduction there is written "The installation process will prompt you for the LDAP directory admin password and confirmation." But I don't get such a prompt. What am I missing? I logged in over ssh, could it be the reason? Is there any way to give my password manually? Also dpkg-reconfigure slapd doesn't bring something, it asks just 3 questions about ldapv2 protocol and so. But on my own computer at home there isn't such a problem, I installed and configured everything without any problem. this is the version: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=9.10 DISTRIB_CODENAME=karmic DISTRIB_DESCRIPTION="Ubuntu 9.10" Thanks in Advance Murat Can Tuna

1 1

custom hostname for openldap/sasl is not working
by Zaar Hai 01 Sep '10

01 Sep '10

Good day, dear list! I'm trying to setup SASL GSSAPI authentication for openldap that listens on hostname different from the machine hostname it runs on. openldap runs on server inka.example.com. ldap/inka/example.com principal is added to ldap's keytab file. This command works just fine: ldapsearch -Y GSSAPI -H 'ldap://inka.example.com' Now: * I've added second IP to the inka.example.com * Added A record for ldap.example.com to point to that IP and setup corresponding PTR record. * Created ldap/ldap.example.com principal and added it ldap's keytab. * Even set openldap to listen only on ldap.example.com IP. But the command ldapsearch -Y GSSAPI -H 'ldap://ldap.example.com' fails with the following error in ldap log: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request) I see that client successfully obtains ticket for ldap/ldap.example.com(a)EXAMPLE.COM I've tried to set sasl-host to ldap.example.com and sasl-realm to EXAMPLE.COM in slapd.conf - did not help. I've even tried to do "hostname ldap" on inka.example.com and restart slapd - same error. >From what I understand, the slapd daemon will try, before connecting the KDC server, to read the keytab file and get the key of the principal ldap/<sasl-host>#<sasl-realm>, so it looks like I'm doing the right thing, but it does not work. System: Debian testing. slapd-2.4.17-2.1 sasl-2.1.23.dfsg1-5 MIT kerberos 1.8.3+dfsg~beta1-1 Thank you in advance for help, -- Zaar -- Zaar

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2010