openldap-technical January 2011

openldap-technical@openldap.org

91 participants
107 discussions

OpenLDAP server as a proxy to AD and local auth db
by L.B. 25 Jan '11

25 Jan '11

Hi all - Thanks in advance. I know this topic has been discussed at length but I'm fairly new to it and haven't been able to find enough information to get my implementation working. I've been piecing together bits and pieces of what seems like the correct parameters, but I've had no luck... and now that I've resorted to guessing, I'd like to ask for help. So here's what I'm trying to achieve: One OpenLDAP server that will A) proxy for a backend AD server and B) maintain a local database for users that are not in AD. The AD system will be used for internal/corp users while the local db will be used for external/3rd party people. The AD system has _some_ of the unix schema attributes, but not all so I will be doing some rewriting on the openldap server. The linux workstations will use the single openldap server and will only be used by internal users and we also have some websites that are for internal/external users. For the time being, I'm just working on part A - proxy requests for these linux workstations to the backend AD server and get the proper mapping figured out. My present problem is that my openldap server is connecting anonymously to the AD server and that's no good because that's not allowed. I have a AD service account defined for the openldap server connections, and have configured the correct values for the 'idassert-bind' directive (see below). Performing a manual ldapsearch works fine when I define the same parameters on the command line, but slapd isn't using the correct parameters it seems. Below are the config files, etc for each component... I hope this helps. ./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com" -s sub -D "cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" -W I've compiled and installed bdb v4.8 and openldap v2.4.23 from source. Here's how I configured openldap: LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/cluster/centauth/BerkeleyDB.4.8/lib:/usr/local/ssl/lib" CPPFLAGS="-I/cluster/centauth/BerkeleyDB.4.8/include" LDFLAGS="-L/cluster/centauth/BerkeleyDB.4.8/lib" ./configure --prefix=/cluster/centauth/openldap2.4 --enable-shared --enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes --enable-hdb=yes --enable-ldap=mod --enable-meta=mod --enable-monitor=yes --enable-relay=mod --enable-overlays=yes --with-cyrus-sasl --with-threads=posix --with-tls=openssl This is the client configuration on the linux workstation: # /etc/ldap.conf base dc=mascorp,dc=com scope sub timelimit 120 bind_timelimit 120 idle_timelimit 3600 uri ldap://sso.mascorp.com ssl no pam_password ad #eof This is the server config on the openldap server: # /cluster/centauth/etc/slapd.conf include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/ppolicy.schema include /usr/share/openldap2.4/schema/ldapns.schema include /cluster/centauth/etc/schema/microsoft.minimal.schema pidfile /cluster/centauth/var/run/slapd.pid argsfile /cluster/centauth/var/run/slapd.args loglevel -1 monitoring on defaultsearchbase "dc=mascorp,dc=com" database ldap suffix "dc=mascorp,dc=com" uri "ldap://corp-ad.mascorp.com" acl-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute homeDirectory unixHomeDirectory rwm-map attribute cn cn rwm-map attribute displayName displayName rwm-map attribute givenName givenName rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute userPassword objectGUID rwm-map attribute * rwm-map objectclass posixAccount organizationalPerson rwm-map objectclass inetOrgPerson user access to dn.subtree="dc=mascorp,dc=com" by * read #eof # Pertinent logs from ldap2.4.log Jan 20 00:13:57 sso slapd[30527]: do_bind: v3 anonymous bind Jan 20 00:13:57 sso slapd[30527]: ==> limits_get: conn=1000 op=1 self="[anonymous]" this="dc=mascorp,dc=com" Jan 20 00:13:57 sso slapd[30527]: send_ldap_result: err=1 matched="" text="00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece" Thanks! Rafa

2 1

slapd : segmentation violation with Mingw/MSYS
by Jean-François Berne 25 Jan '11

25 Jan '11

Hello * I need help from experienced users concerning openLDAP under Mingw : I get a SIGSEGV upon slapd invocation. Please take a look at what I did and tell what I do wrong. Perhaps someone already had this problem. The SIGSEGV is at the end. ----- SETUP and build openLDAP ----- 0. GCC 4.5.2, GNU Make 3.81, Mingw/MSYS on WinXP Home/SP3 1. openLDAP config is small: with TLS, no Cyrus-SASL, no Berkeley DB, none overlay. $ configure \ --disable-bdb --disable-hdb \ --disable-overlays \ --with-tls \ --prefix=/mingw/openldap-2.4.23 --build=i686-pc-mingw32 $ make > make_all.log 2>&1 $ make install > make_install.log 2>&1 Nothing fancy here. 2. For the sake of completion, here are the warnings of 'make all' - tls_o.c:666:4: warning: assignment discards qualifiers from pointer target type - threads.c:110:2: warning: '_sleep' is deprecated (declared at c:\mingw\bin\../lib/gcc/mingw32/4.5.2/../../../../include/stdlib.h:408) - In file included from passwd.c:85:0: ../../include/ldap_pvt.h:355:30: attention : 'struct timeval' declared inside parameter list ../../include/ldap_pvt.h:355:30: attention : visible uniquement depuis cette définition ou déclaration, ce qui n'est probablement pas ce que vous désirez Let me know if you detect something here. 3. for the time being I config'd slapd like this: .../etc/slapd.conf include C:\\MinGW\\openldap-2.4.23\\etc\\openldap/schema/core.schema pidfile C:\\MinGW\\openldap-2.4.23\\var/run/slapd.pid argsfile C:\\MinGW\\openldap-2.4.23\\var/run/slapd.args database "ldif" suffix "dc=(deleted),dc=org" rootdn "cn=Manager,dc=(deleted),dc=org" rootpw secret directory C:\\MinGW\\openldap-2.4.23\\var/openldap-data/ldif --- RUN --- 0. PATH = /mingw/openldap-2.4.23/libexec:/mingw/openldap-2.4.23/bin:.:/usr/local/bin:/mingw/bin:/bin:/c/WINDOWS/system32:/c/WINDOWS:/c/WINDOWS/System32/Wbem:/c/Programme/OpenSSH/bin:/c/Programme/GnuTLS-2.10.1/bin 1. gdb slapd 2. result: you can spot SIGSEGV right at the beginning. GNU gdb (GDB) 7.2 [...] This GDB was configured as "mingw32". [...] Reading symbols from C:\MinGW\openldap-2.4.23\libexec/slapd.exe...(no debugging symbols found)...done. (gdb) start Function "main" not defined. Make breakpoint pending on future shared library load? (y or [n]) n Starting program: C:\MinGW\openldap-2.4.23\libexec/slapd.exe [New Thread 3572.0xbbc] Program received signal SIGSEGV, Segmentation fault. 0x6086ec49 in msys-1!getuid () from C:\MinGW\msys\1.0\bin\msys-1.0.dll (gdb) quit Fazit : I am not experienced enough to know where to start looking. Any help will be appreciated. Thank you, JF

2 1

Starttls and SSL
by ldap＠mm.st 24 Jan '11

24 Jan '11

I am in the process of moving our older existing openldap server infrastructure that we use to authenticate multiple users to our Linux infrastructure to use RH5 openldap 2.3 server. The current ldap servers support starttls and listen on 389 and 636. We want to continue with this setup. While sniffing traffic using tcpdump and using various ldapsearch options I noticed that if the client doesn't request starttls or connect on 636 is is possible to grab a users ldap record and the transmission is in clear text. If I authenticate to the server using the -W option to ldapsearch the record is sent with the SSHA encrypted password. Also in the in the tcpdump stream my password I use to authenticate to the server is sent in clear text. I guess this behavior is expected since the server is listening on 389 and it is up to the client to initialize the starttls session, but I was wondering if there was a way to force the server to only use starttls on 398 and not rely on the the client to set up starttls? One option would be to only have the server start on 636 and not have it listen on 389, but we would like to keep the same functionality if possible. Am I missing something obvious? The only option that I see as a possiblity is the TLSVerifyClient { never | allow | try | demand } in slapd.conf. But, it's unclear to me if this will provide the desired effect.

2 1

how to compile openldap with database ldbm module?
by Olivier PAVILLA 24 Jan '11

24 Jan '11

Hi everyone. I'm on Debian Lenny 64bit. So I want to LDAP with database ldbm. But it appears there is no way on debian. I got openldap 2.4.23. I did ./configure --help It gave me this SLAPD Backend Options: --enable-backends enable all available backends no|yes|mod --enable-bdb enable Berkeley DB backend no|yes|mod [yes] --enable-dnssrv enable dnssrv backend no|yes|mod [no] --enable-hdb enable Hierarchical DB backend no|yes|mod There is no ldbm module anymore or what? -- Olivier Pavilla << 仕事を探しています。求職中です。>> S.C.I.R.C. Orléans (Bourgogne) - I.U.F.M. Centre-Val de Loire 72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1 Tel : 02-38-49-26-20 , mailto:olivier.pavilla@univ-orleans.fr http://blog.linux-squad.com - 僕の傑作です。 "Acheté un Iphone c'est cautionné l'esclavage humain..."

2 1

CLI remotes write, php remotes can't
by mike＠grounded.net 23 Jan '11

23 Jan '11

I'm trying to find leads on what else to look for with this problem. Locally, I can create users, etc. From remote centos servers, I can create and read account info from command line. However, from remotes using php-ldap, I cannot create users, only read. I'm not sure what to provide for info just yet as there are too many variables but on the other hand, someone might immediately know what the answer is. I suspect something to do with php-ldap, perhaps a config or something that's not allowing writes?

4 8

Exported group can't be imported again: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
by Thomas Schweikle 22 Jan '11

22 Jan '11

Hi! I've exported groups from a ldap server. Importin the very same group fails: ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax schema inetorgperson is, among others included. The group I want to add: dn: cn=somegroup,ou=Groups,dc=example,dc=org objectClass: posixGroups objectClass: top gidNumer: 3000 cn: somegroup memberUid: someuser Command: # ldapadd -D cn=manager,dc=example,dc=org -W dn: cn=somegroup,ou=Groups,dc=example,dc=org objectClass: posixGroups objectClass: top gidNumer: 3000 cn: somegroup memberUid: someuser adding new entry "cn=somegroup,ou=Groups,dc=example,dc=org" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Any ideas? -- Thomas

4 5

Kerberized LDAP not accessible
by Thomas Schweikle 22 Jan '11

22 Jan '11

Hi! I kerberized ldap: dn: cn=config objectClass: olcGlobal cn: config olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=example,dc=com olcSaslHost: srv.example.com olcSaslRealm: EXAMPLE.COM In /etc/ldap/ldap.conf: BASE dc=example,dc=com URI ldap://srv.example.com SASL_MECH GSSAPI In /etc/ldap.conf base dc=example,dc=com uri ldap://srv.example.com ldap_version 3 rootbinddn cn=adm,dc=example,dc=com pam_password md5 I now try to connect to my ldap server: client:~$ kinit user Password for user(a)EXAMPLE.COM: client:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user(a)EXAMPLE.COM Valid starting Expires Service principal 01/21/11 11:32:03 01/21/11 21:32:03 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM renew until 01/22/11 11:31:58 client:~$ ldapsearch -H ldap://srv.example.com SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database client:~$ ldapsearch -D uid=user,dc=example,dc=com -H ldap://srv.example.com ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed The user in question exists: dn: cn=user user,ou=Users,dc=example,dc=com givenName: user sn: user cn: user user uid: user objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/user loginShell: /bin/zsh Any idea what is wrong? As far as I see: I do have a tgt and thus I shall be authenticated. But I am not granted access! Any idea why? -- Thomas

5 12

RE: How to enable 'pwdPolicySubentry' in ppolicy.schema
by Alexey Shalin 20 Jan '11

20 Jan '11

Thank you for your reply. But then how can I use this: dn: cn=search,ou=users,ou=my_dn changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn" I want to exclude user: search from default policy >From docs: Finally the account entry for the user(s) to whom this policy applies are modified to point to the specific policy using the following LDIF fragment: # point the users entry to the specific policy dn: cn=John Smith,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com" ------------------------------------------------------------------------ ---- When I tried run it in my LDAP browser I got: Line 4, Column 0: Unexpected line found: 'pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"'. Line 4, Column 0: The 'add' modification operation must have at least one value specified (Attribute: 'pwdPolicySubentry'). Line 4: Unexpected end of LDIF file. The last record will not be committed. Import data complete. Elapsed time: 0:00. Entries processed: 0. Warning(s): 0, error(s): 3. Can you please tell may be another way, how to exclude user:search from: dn: cn=std, ou=ppolicy, ou=my_dn pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 18 pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdLockout: TRUE pwdMaxAge: 7776000 Thank you -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, January 21, 2011 9:36 AM To: Alexey Shalin Cc: openldap-technical(a)openldap.org Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema Alexey Shalin wrote: > Hello, > > How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this into > ppolicy.schema Never modify the schema files distributed with OpenLDAP. > attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23 > > NAME 'pwdPolicySubentry' > > DESC 'The pwdPolicy subentry in effect for this object' > > EQUALITY distinguishedNameMatch > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > > SINGLE-VALUE > > USAGE directoryOperation ) > > But after that my slapd do not started. Of course. Schema files are only for defining user attributes. Operational attributes must be implemented in code and cannot be defined from a schema config file. This particular attribute is already implemented in the ppolicy overlay so there is no need to define it again anyway. > should I upgrade openldap to the last ver ? That would make no difference here, but it's always best to stay up to date. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ __________ Information from ESET NOD32 Antivirus, version of virus signature database 5804 (20110120) __________ The message was checked by ESET NOD32 Antivirus. http://www.esetnod32.ru/.ml __________ Information from ESET NOD32 Antivirus, version of virus signature database 5804 (20110120) __________ The message was checked by ESET NOD32 Antivirus. http://www.esetnod32.ru/.ml

1 0

How to enable 'pwdPolicySubentry' in ppolicy.schema
by Alexey Shalin 20 Jan '11

20 Jan '11

Hello, How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this into ppolicy.schema attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperation ) But after that my slapd do not started. bash-2.05# /usr/local/libexec/slapd -h ldaps:/// -d 259 @(#) $OpenLDAP: slapd 2.4.16 (May 23 2009 06:45:03) $ steve@solaris9:/bigdisk/SOURCES/S9/openldap-2.4.16/servers/slapd ldap_pvt_gethostbyname_a: host=rtps, r=0 daemon_init: listen on ldaps:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldaps:///) daemon: listener initialized ldaps:/// daemon_init: 2 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008) null_back_initialize: initialize null backend slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. bash-2.05# should I upgrade openldap to the last ver ? ------------------------------------------------------------------------------- С уважением, Алексей Шалин Системный Администратор Отдел системного администрирования ЗАО "Межбанковский процессинговый центр" 720083, Кыргызская Республика г. Бишкек, ул. Ауэзова 1/2 тел.: +996 (312) 637738 (вн. 138) факс: +996 (312) 637748 e-mail: a.shalin(a)ipc.kg

2 1

can be an hdb root?
by Christ Schlacta 20 Jan '11

20 Jan '11

can I create an hdb root of ? I would like to set up a server for testing, and i'm wondering if I can configure my server such that the root is essentially "", or "Empty String", so that I can add dc=testing,dc=com, or I can add ou=test1,...testn, or I can add anything else I want for experimenting with and learning how many features of openldap work, without having to constantly reconfigure my root, or be trapped in one awkwardly long root.

2 1

← Newer
1
2
3
4
5
6
7
...
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2011