OpenLDAP in Fedora with Mozilla NSS for crypto
by Rich Megginson
The Fedora Project, with Fedora 14 and later, is building OpenLDAP with
Mozilla NSS for crypto instead of OpenSSL. There will be a Fedora Test
Day on October 14, 2010 to test as many different applications with as
many different combinations of TLS/SSL settings as possible.
https://fedoraproject.org/wiki/Test_Day:2010-10-14_OpenLDAP/NSS
Please Help! You folks are the OpenLDAP experts, with experience
developing and using OpenLDAP in a wide variety of settings and
applications. We would appreciate any testing, test suggestions, bug
reports, etc.
12 years, 8 months
MoNSS support in openldap
by Silvan Marco Fin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Is there any magic to be cast upon openldap to enable the MozNSS
support when compiling it? Perhaps I'm missing something, but there
doesn't seem to be a configure switch to enable NSS, like with Gnutls or
OpenSSL.
Kind regards,
Silvan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyc3wAACgkQ9s/B3wYT4543twCfcdYTtJyeKbtiJoT8yFZblvDb
8DQAmwfZpxpoaHic1ZIpovUeH+jqzo1d
=ih5n
-----END PGP SIGNATURE-----
12 years, 8 months
Adding entries to cn=config
by Angel L. Mateo
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an
ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so
I could configure the server without providing the password for
cn=config (I want to restrict the IPs from that user could be used).
So I'm trying to add an entry like:
dn: cn=myuser,cn=config
changetype: add
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: myuser
userPassword: mypassword
but I'm getting the error:
Object class violation (65).
In the server's log I get:
Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 ADD
dn="cn=myuser,cn=config
"
Sep 27 12:52:04 canis10 slapd[10564]: slap_queue_csn: queing
0x7f47bc1d8f10 2010
0927105204.422891Z#000000#001#000000
Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 RESULT tag=105
err=65 text=
I have tried to add it with the server running in debug mode, and then
I get:
>>> dnPrettyNormal: <cn=myuser,cn=config>
=> ldap_bv2dn(cn=myuser,cn=config,0)
<= ldap_bv2dn(cn=myuser,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=myuser,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=myuser,cn=config)=0
<<< dnPrettyNormal: <cn=myuser,cn=config>, <cn=myuser,cn=config>
conn=1002 op=2 ADD dn="cn=myuser,cn=config"
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
=> access_allowed: add access to "cn=myuser,cn=config" "entry" requested
<= root access granted
=> access_allowed: add access granted by manage(=mwrscxd)
<= acl_access_allowed: granted to database root
oc_check_required entry (cn=myuser,cn=config), objectClass
"organizationalRole"
oc_check_required entry (cn=myuser,cn=config), objectClass
"simpleSecurityObject"
oc_check_allowed type "objectClass"
oc_check_allowed type "cn"
oc_check_allowed type "userPassword"
oc_check_allowed type "structuralObjectClass"
=> access_allowed: add access to "cn=config" "children" requested
<= root access granted
=> access_allowed: add access granted by manage(=mwrscxd)
conn=1002 op=2: config_add_internal: DN="cn=myuser,cn=config" no
structural objectClass in configuration table
but organizationalRole is an structural object class. I have tried with
other objectclasses like person or inetOrgPerson, but I get the same result.
Could anybody help me?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
12 years, 8 months
Including schema in directory based config?
by Will Dowling
Hi Guys,
Hope this is the right list for this, haven't been lurking here
previously so I don't have a feel for things yet.
I'm upgrading our OpenLDAP servers to use directory based configuration
under Ubuntu/Lucid and am having some problems including the provided
Cosine and iNetOrgPerson schemas.
It appears that if I symlink the LDIF files from /etc/ldap/schema/ into
/etc/ldap/slapd.d/cn=config/cn=schema/ slapd will not start.
Running slapd in debug mode gives me the following output:
ldif_read_file: read entry file:
"/etc/ldap/slapd.d//cn=config/cn=schema/cosine.ldif"
=> str2entry: "# RFC1274: Cosine and Internet X.500 schema
<snip contents of the LDIF file being read in>
=> ldap_bv2dn(cn=cosine,cn=schema,cn=config,0)
<= ldap_bv2dn(cn=cosine,cn=schema,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=cosine,cn=schema,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=cosine,cn=schema,cn=config)=0
<<< dnPrettyNormal: <cn=cosine,cn=schema,cn=config>,
<cn=cosine,cn=schema,cn=config>
<= str2entry(cn=cosine,cn=schema,cn=config) -> 0xb9124344
=> test_filter
PRESENT
=> access_allowed: search access to
"cn=cosine,cn=schema,cn=config,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 6
: config_add_internal:
DN="cn=cosine,cn=schema,cn=config,cn=schema,cn=config" not child of
DN="cn=schema,cn=config"
config error processing cn=cosine,cn=schema,cn=config,cn=schema,cn=config:
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=32 matched="" text=""
The DN specified in the LDIF file is as follows:
dn: cn=cosine,cn=schema,cn=config
But it looks like when it's reading in the file, it's postpending
cn=schema,cn=config (presumably from the configuration directory path),
as opposed to using the fully qualified DN.
Is there a way to fix this? I'm using packages to deploy software
configurations, and it doesn't make sense for us to inject this schema
with ldapadd (what seems to be the prescribed way) of adding schema to
get around this DN problem (and handing adding/removing it when upstream
updates the defintions - however infrequent/unlikely this is).
We also roll out our own schema definitions, but these have been
converted to LDIF and it's no big deal to have the DN: line set to
whatever will make slapd happy.
I hope this makes sense and that someone is able to help me understand
directory based configuration a little better.
Cheers :)
Will Dowling
T: +61 (08) 6364 4880
F: +61 (08) 6364 4881
E: will(a)autodeist.com
12 years, 8 months
id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=loc uid
by Cole
Hello all,
I have an LDAP server that I can use for authentication. On this server I
can authenticate as these users locally and ldapsearch them, whatever. On
any of the LDAP clients, however, I can see them using an ldapsearch, but an
id or su will return no such user.
Example:
root@garion:~# ldapsearch -x uid=connor
# extended LDIF
#
# LDAPv3
# base <dc=muncc,dc=loc> (default) with scope subtree
# filter: uid=connor
# requesting: ALL
#
# connor, People, muncc.loc
dn: uid=connor,ou=People,dc=muncc,dc=loc
uid: connor
cn: connor
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 100
gecos: connor,,,
homeDirectory: /shared/home/connor
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
root@garion:~# id connor
id: connor: No such user
Now, I'm pretty sure that this must be an NSS or PAM problem, but the files
on the clients and the server seem to be configured the same. I can't seem
to pinpoint exactly what is wrong. Any suggestions?
Thanks in advance.
--
Cole Gleason
----------------------
Student, Marmion Academy
Email: cg(a)colegleason.com
Website: colegleason.com
12 years, 8 months
Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=loc
by Cole
Sorry about the subject. I think I hit paste by accident.
On Mon, Sep 27, 2010 at 5:30 PM, Cole <colewashere(a)gmail.com> wrote:
> Hello all,
>
> I have an LDAP server that I can use for authentication. On this server I
> can authenticate as these users locally and ldapsearch them, whatever. On
> any of the LDAP clients, however, I can see them using an ldapsearch, but an
> id or su will return no such user.
> Example:
> root@garion:~# ldapsearch -x uid=connor
> # extended LDIF
> #
> # LDAPv3
> # base <dc=muncc,dc=loc> (default) with scope subtree
> # filter: uid=connor
> # requesting: ALL
> #
>
> # connor, People, muncc.loc
> dn: uid=connor,ou=People,dc=muncc,dc=loc
> uid: connor
> cn: connor
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 1002
> gidNumber: 100
> gecos: connor,,,
> homeDirectory: /shared/home/connor
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> root@garion:~# id connor
> id: connor: No such user
>
>
> Now, I'm pretty sure that this must be an NSS or PAM problem, but the files
> on the clients and the server seem to be configured the same. I can't seem
> to pinpoint exactly what is wrong. Any suggestions?
>
> Thanks in advance.
> --
> Cole Gleason
> ----------------------
> Student, Marmion Academy
> Email: cg(a)colegleason.com
> Website: colegleason.com
>
>
--
Cole Gleason
----------------------
Student, Marmion Academy
Email: cg(a)colegleason.com
Website: colegleason.com
12 years, 8 months
Overlaying a parent object
by Matthew Vale
Howdy Folks!,
I am currently using openldap on a centos 5.x box which is working fine. However I was after some advice on configuring some of the overlays to get the results I am after.
The part I am looking at modifying is we currently have part of our ldap server ou=Contacts,dc=example,dc=com is reserved for our customer address book section.
We have choose to structure our Tree under in a hierarchy that represents belonging as follows
Our three object types are
A company is defined as objectClass ‘top’, ’organization’
A Person is defined as objectClass ‘top’, ‘organizaionalPerson’, ’inetOrgPerson’
A phone Number is defined as objectClass ‘top’, ‘room’
Under the root of the subtree can be either persons or companies
A company can contain persons or phone numbers
A person can contain phone numbers
The reason for arranging like this instead of assigning the phone number to the telephoneNumber field of a company or person is to allow multiple numbers to be entered against an object and name them (e.g. DDI, main, FAX, tech support, etc).
For most of our applications this is fine as we have written so they understand the hierarchy. My problem comes in specifically with VOIP phones that support a LDAP directory.
What I would like to do is manipulate the transparent overlay and rwm overlay take the following example
dn: cn=Joe Blogs,cn=contacts,dc=example,dc=com
objectClass: top
objectClass: organizationalPerson
cn: Joe Blogs
dn: cn=DDI,cn=Joe Blogs,cn=contacts,dc=example,dc=com
objectClass: top
objectClass: room
cn: DDI
telephoneNumber: 101
dn: cn=main,cn=Joe Blogs,cn=contacts,dc=example,dc=com
objectClass: top
objectClass: room
cn: main
telephoneNumber: 100
the phone does a ldap query (&(objectClass=telephoneNumber)(telephoneNumber=100))
that would return the last example object, but would display the name as ‘main’ what I was trying to do was overlay the parent object so it could use the cn from the parent object (or even better glue them together so we could get ‘Joe Bloggs, main’)
I understand the concept of the translucent overlay with something similar as follows that would overlay the destinations cn attribute locally as description. The tricky bit being configuring rwm to rewrite the dn for the lookup to grab it from the parent.
Overlay translucent
Uri ldap://localhost
Lastmod off
Map attribute description cn
Installed version: openldap-servers-2.3.43-12.el5_5.2
12 years, 8 months
A LDAPS related issue
by ctosgh
Hi, folks
I am using the APIs from openldap and recently run into a problem which upset me. Following is the framework of the function.
ldaps_func()
{
LDAP* ld = NULL;
char * uri ="ldaps://xxx.xxx.xxx:636";
.....
ldap_set_option(...); //using LDAP v3
ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
ldap_initialize(&ld, uri);
.....
ldap_simple_bind(.....);
ldap_search_ext(...);
......
ldap_unbind(ld);
.....
return 0;
}
Above function is called in a while loop to authenticate users to a LDAPS server when authentication request comes up. This function works fine. BUT after one successful authentication, if I delete CA certificates of server's certificate under /tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate "certificate change".
Is the openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.
Thanks,
Jacky
12 years, 8 months
Some feedbacks on MMR tools.
by Thomas Chemineau
Hi,
I post on openldap-technical list because OpenLDAP MMR Tools was released
few days ago. This is the first one. So, I hope that could interest someone
here. This project is not part of the OpenLDAP project.
OpenLDAP MMR Tools is designed to help system administrator to deploy a
multimaster cluster with OpenLDAP 2.4.
For more information, you could visit this page:
http://tools.ltb-project.org/news/15
There are still bugs, missing features, etc. But it could be interresting
for people behind LTB Project to have some feedbacks.
Best regards,
Thomas.
--
Thomas Chemineau
12 years, 8 months
