openldap-technical September 2010

openldap-technical@openldap.org

111 participants
113 discussions

OpenLDAP in Fedora with Mozilla NSS for crypto
by Rich Megginson 28 Sep '10

28 Sep '10

The Fedora Project, with Fedora 14 and later, is building OpenLDAP with Mozilla NSS for crypto instead of OpenSSL. There will be a Fedora Test Day on October 14, 2010 to test as many different applications with as many different combinations of TLS/SSL settings as possible. https://fedoraproject.org/wiki/Test_Day:2010-10-14_OpenLDAP/NSS Please Help! You folks are the OpenLDAP experts, with experience developing and using OpenLDAP in a wide variety of settings and applications. We would appreciate any testing, test suggestions, bug reports, etc.

1 0

MoNSS support in openldap
by Silvan Marco Fin 28 Sep '10

28 Sep '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Is there any magic to be cast upon openldap to enable the MozNSS support when compiling it? Perhaps I'm missing something, but there doesn't seem to be a configure switch to enable NSS, like with Gnutls or OpenSSL. Kind regards, Silvan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyc3wAACgkQ9s/B3wYT4543twCfcdYTtJyeKbtiJoT8yFZblvDb 8DQAmwfZpxpoaHic1ZIpovUeH+jqzo1d =ih5n -----END PGP SIGNATURE-----

4 7

Adding entries to cn=config
by Angel L. Mateo 28 Sep '10

28 Sep '10

Hello, I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database. The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used). So I'm trying to add an entry like: dn: cn=myuser,cn=config changetype: add objectClass: organizationalRole objectClass: simpleSecurityObject cn: myuser userPassword: mypassword but I'm getting the error: Object class violation (65). In the server's log I get: Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 ADD dn="cn=myuser,cn=config " Sep 27 12:52:04 canis10 slapd[10564]: slap_queue_csn: queing 0x7f47bc1d8f10 2010 0927105204.422891Z#000000#001#000000 Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 RESULT tag=105 err=65 text= I have tried to add it with the server running in debug mode, and then I get: >>> dnPrettyNormal: <cn=myuser,cn=config> => ldap_bv2dn(cn=myuser,cn=config,0) <= ldap_bv2dn(cn=myuser,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=myuser,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=myuser,cn=config)=0 <<< dnPrettyNormal: <cn=myuser,cn=config>, <cn=myuser,cn=config> conn=1002 op=2 ADD dn="cn=myuser,cn=config" daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero => access_allowed: add access to "cn=myuser,cn=config" "entry" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) <= acl_access_allowed: granted to database root oc_check_required entry (cn=myuser,cn=config), objectClass "organizationalRole" oc_check_required entry (cn=myuser,cn=config), objectClass "simpleSecurityObject" oc_check_allowed type "objectClass" oc_check_allowed type "cn" oc_check_allowed type "userPassword" oc_check_allowed type "structuralObjectClass" => access_allowed: add access to "cn=config" "children" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) conn=1002 op=2: config_add_internal: DN="cn=myuser,cn=config" no structural objectClass in configuration table but organizationalRole is an structural object class. I have tried with other objectclasses like person or inetOrgPerson, but I get the same result. Could anybody help me? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337

3 7

Including schema in directory based config?
by Will Dowling 28 Sep '10

28 Sep '10

Hi Guys, Hope this is the right list for this, haven't been lurking here previously so I don't have a feel for things yet. I'm upgrading our OpenLDAP servers to use directory based configuration under Ubuntu/Lucid and am having some problems including the provided Cosine and iNetOrgPerson schemas. It appears that if I symlink the LDIF files from /etc/ldap/schema/ into /etc/ldap/slapd.d/cn=config/cn=schema/ slapd will not start. Running slapd in debug mode gives me the following output: ldif_read_file: read entry file: "/etc/ldap/slapd.d//cn=config/cn=schema/cosine.ldif" => str2entry: "# RFC1274: Cosine and Internet X.500 schema <snip contents of the LDIF file being read in> => ldap_bv2dn(cn=cosine,cn=schema,cn=config,0) <= ldap_bv2dn(cn=cosine,cn=schema,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=cosine,cn=schema,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=cosine,cn=schema,cn=config)=0 <<< dnPrettyNormal: <cn=cosine,cn=schema,cn=config>, <cn=cosine,cn=schema,cn=config> <= str2entry(cn=cosine,cn=schema,cn=config) -> 0xb9124344 => test_filter PRESENT => access_allowed: search access to "cn=cosine,cn=schema,cn=config,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) <= test_filter 6 : config_add_internal: DN="cn=cosine,cn=schema,cn=config,cn=schema,cn=config" not child of DN="cn=schema,cn=config" config error processing cn=cosine,cn=schema,cn=config,cn=schema,cn=config: send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=32 matched="" text="" The DN specified in the LDIF file is as follows: dn: cn=cosine,cn=schema,cn=config But it looks like when it's reading in the file, it's postpending cn=schema,cn=config (presumably from the configuration directory path), as opposed to using the fully qualified DN. Is there a way to fix this? I'm using packages to deploy software configurations, and it doesn't make sense for us to inject this schema with ldapadd (what seems to be the prescribed way) of adding schema to get around this DN problem (and handing adding/removing it when upstream updates the defintions - however infrequent/unlikely this is). We also roll out our own schema definitions, but these have been converted to LDIF and it's no big deal to have the DN: line set to whatever will make slapd happy. I hope this makes sense and that someone is able to help me understand directory based configuration a little better. Cheers :) Will Dowling T: +61 (08) 6364 4880 F: +61 (08) 6364 4881 E: will(a)autodeist.com

5 9

id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=loc uid
by Cole 27 Sep '10

27 Sep '10

Hello all, I have an LDAP server that I can use for authentication. On this server I can authenticate as these users locally and ldapsearch them, whatever. On any of the LDAP clients, however, I can see them using an ldapsearch, but an id or su will return no such user. Example: root@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc,dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=loc uid: connor cn: connor objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1002 gidNumber: 100 gecos: connor,,, homeDirectory: /shared/home/connor # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 root@garion:~# id connor id: connor: No such user Now, I'm pretty sure that this must be an NSS or PAM problem, but the files on the clients and the server seem to be configured the same. I can't seem to pinpoint exactly what is wrong. Any suggestions? Thanks in advance. -- Cole Gleason ---------------------- Student, Marmion Academy Email: cg(a)colegleason.com Website: colegleason.com

2 1

Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=loc
by Cole 27 Sep '10

27 Sep '10

Sorry about the subject. I think I hit paste by accident. On Mon, Sep 27, 2010 at 5:30 PM, Cole <colewashere(a)gmail.com> wrote: > Hello all, > > I have an LDAP server that I can use for authentication. On this server I > can authenticate as these users locally and ldapsearch them, whatever. On > any of the LDAP clients, however, I can see them using an ldapsearch, but an > id or su will return no such user. > Example: > root@garion:~# ldapsearch -x uid=connor > # extended LDIF > # > # LDAPv3 > # base <dc=muncc,dc=loc> (default) with scope subtree > # filter: uid=connor > # requesting: ALL > # > > # connor, People, muncc.loc > dn: uid=connor,ou=People,dc=muncc,dc=loc > uid: connor > cn: connor > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 1002 > gidNumber: 100 > gecos: connor,,, > homeDirectory: /shared/home/connor > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > root@garion:~# id connor > id: connor: No such user > > > Now, I'm pretty sure that this must be an NSS or PAM problem, but the files > on the clients and the server seem to be configured the same. I can't seem > to pinpoint exactly what is wrong. Any suggestions? > > Thanks in advance. > -- > Cole Gleason > ---------------------- > Student, Marmion Academy > Email: cg(a)colegleason.com > Website: colegleason.com > > -- Cole Gleason ---------------------- Student, Marmion Academy Email: cg(a)colegleason.com Website: colegleason.com

1 0

help, how to manage the ACL dynamic by C api???
by wu johnson 27 Sep '10

27 Sep '10

null

2 1

Overlaying a parent object
by Matthew Vale 27 Sep '10

27 Sep '10

Howdy Folks!, I am currently using openldap on a centos 5.x box which is working fine. However I was after some advice on configuring some of the overlays to get the results I am after. The part I am looking at modifying is we currently have part of our ldap server ou=Contacts,dc=example,dc=com is reserved for our customer address book section. We have choose to structure our Tree under in a hierarchy that represents belonging as follows Our three object types are A company is defined as objectClass ‘top’, ’organization’ A Person is defined as objectClass ‘top’, ‘organizaionalPerson’, ’inetOrgPerson’ A phone Number is defined as objectClass ‘top’, ‘room’ Under the root of the subtree can be either persons or companies A company can contain persons or phone numbers A person can contain phone numbers The reason for arranging like this instead of assigning the phone number to the telephoneNumber field of a company or person is to allow multiple numbers to be entered against an object and name them (e.g. DDI, main, FAX, tech support, etc). For most of our applications this is fine as we have written so they understand the hierarchy. My problem comes in specifically with VOIP phones that support a LDAP directory. What I would like to do is manipulate the transparent overlay and rwm overlay take the following example dn: cn=Joe Blogs,cn=contacts,dc=example,dc=com objectClass: top objectClass: organizationalPerson cn: Joe Blogs dn: cn=DDI,cn=Joe Blogs,cn=contacts,dc=example,dc=com objectClass: top objectClass: room cn: DDI telephoneNumber: 101 dn: cn=main,cn=Joe Blogs,cn=contacts,dc=example,dc=com objectClass: top objectClass: room cn: main telephoneNumber: 100 the phone does a ldap query (&(objectClass=telephoneNumber)(telephoneNumber=100)) that would return the last example object, but would display the name as ‘main’ what I was trying to do was overlay the parent object so it could use the cn from the parent object (or even better glue them together so we could get ‘Joe Bloggs, main’) I understand the concept of the translucent overlay with something similar as follows that would overlay the destinations cn attribute locally as description. The tricky bit being configuring rwm to rewrite the dn for the lookup to grab it from the parent. Overlay translucent Uri ldap://localhost Lastmod off Map attribute description cn Installed version: openldap-servers-2.3.43-12.el5_5.2

1 0

A LDAPS related issue
by ctosgh 25 Sep '10

25 Sep '10

Hi, folks I am using the APIs from openldap and recently run into a problem which upset me. Following is the framework of the function. ldaps_func() { LDAP* ld = NULL; char * uri ="ldaps://xxx.xxx.xxx:636"; ..... ldap_set_option(...); //using LDAP v3 ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/ ldap_initialize(&ld, uri); ..... ldap_simple_bind(.....); ldap_search_ext(...); ...... ldap_unbind(ld); ..... return 0; } Above function is called in a while loop to authenticate users to a LDAPS server when authentication request comes up. This function works fine. BUT after one successful authentication, if I delete CA certificates of server's certificate under /tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been deleted. Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate "certificate change". Is the openssl library cache someting?? Any one has any ideas about this? I will really appreciate it. Thanks, Jacky

4 8

Some feedbacks on MMR tools.
by Thomas Chemineau 25 Sep '10

25 Sep '10

Hi, I post on openldap-technical list because OpenLDAP MMR Tools was released few days ago. This is the first one. So, I hope that could interest someone here. This project is not part of the OpenLDAP project. OpenLDAP MMR Tools is designed to help system administrator to deploy a multimaster cluster with OpenLDAP 2.4. For more information, you could visit this page: http://tools.ltb-project.org/news/15 There are still bugs, missing features, etc. But it could be interresting for people behind LTB Project to have some feedbacks. Best regards, Thomas. -- Thomas Chemineau

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2010