OpenLDAP server as a proxy to AD and local auth db
by L.B.
Hi all -
Thanks in advance. I know this topic has been discussed at length but
I'm fairly new to it and haven't been able to find enough information
to get my implementation working. I've been piecing together bits and
pieces of what seems like the correct parameters, but I've had no
luck... and now that I've resorted to guessing, I'd like to ask for
help.
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B)
maintain a local database for users that are not in AD. The AD system
will be used for internal/corp users while the local db will be used
for external/3rd party people. The AD system has _some_ of the unix
schema attributes, but not all so I will be doing some rewriting on
the openldap server. The linux workstations will use the single
openldap server and will only be used by internal users and we also
have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for
these linux workstations to the backend AD server and get the proper
mapping figured out.
My present problem is that my openldap server is connecting
anonymously to the AD server and that's no good because that's not
allowed. I have a AD service account defined for the openldap server
connections, and have configured the correct values for the
'idassert-bind' directive (see below). Performing a manual ldapsearch
works fine when I define the same parameters on the command line, but
slapd isn't using the correct parameters it seems. Below are the
config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com"
-s sub -D "cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" -W
I've compiled and installed bdb v4.8 and openldap v2.4.23 from source.
Here's how I configured openldap:
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/cluster/centauth/BerkeleyDB.4.8/lib:/usr/local/ssl/lib"
CPPFLAGS="-I/cluster/centauth/BerkeleyDB.4.8/include"
LDFLAGS="-L/cluster/centauth/BerkeleyDB.4.8/lib" ./configure
--prefix=/cluster/centauth/openldap2.4 --enable-shared
--enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes
--enable-hdb=yes --enable-ldap=mod --enable-meta=mod
--enable-monitor=yes --enable-relay=mod --enable-overlays=yes
--with-cyrus-sasl --with-threads=posix --with-tls=openssl
This is the client configuration on the linux workstation:
# /etc/ldap.conf
base dc=mascorp,dc=com
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://sso.mascorp.com
ssl no
pam_password ad
#eof
This is the server config on the openldap server:
# /cluster/centauth/etc/slapd.conf
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
include /usr/share/openldap2.4/schema/ldapns.schema
include /cluster/centauth/etc/schema/microsoft.minimal.schema
pidfile /cluster/centauth/var/run/slapd.pid
argsfile /cluster/centauth/var/run/slapd.args
loglevel -1
monitoring on
defaultsearchbase "dc=mascorp,dc=com"
database ldap
suffix "dc=mascorp,dc=com"
uri "ldap://corp-ad.mascorp.com"
acl-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute homeDirectory unixHomeDirectory
rwm-map attribute cn cn
rwm-map attribute displayName displayName
rwm-map attribute givenName givenName
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute userPassword objectGUID
rwm-map attribute *
rwm-map objectclass posixAccount organizationalPerson
rwm-map objectclass inetOrgPerson user
access to dn.subtree="dc=mascorp,dc=com"
by * read
#eof
# Pertinent logs from ldap2.4.log
Jan 20 00:13:57 sso slapd[30527]: do_bind: v3 anonymous bind
Jan 20 00:13:57 sso slapd[30527]: ==> limits_get: conn=1000 op=1
self="[anonymous]" this="dc=mascorp,dc=com"
Jan 20 00:13:57 sso slapd[30527]: send_ldap_result: err=1 matched=""
text="00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece"
Thanks!
Rafa
10 years, 5 months
slapd : segmentation violation with Mingw/MSYS
by Jean-François Berne
Hello *
I need help from experienced users concerning openLDAP under Mingw : I
get a SIGSEGV upon slapd invocation.
Please take a look at what I did and tell what I do wrong. Perhaps
someone already had this problem.
The SIGSEGV is at the end.
-----
SETUP and build openLDAP
-----
0. GCC 4.5.2, GNU Make 3.81, Mingw/MSYS on WinXP Home/SP3
1. openLDAP config is small: with TLS, no Cyrus-SASL, no Berkeley DB,
none overlay.
$ configure \
--disable-bdb --disable-hdb \
--disable-overlays \
--with-tls \
--prefix=/mingw/openldap-2.4.23 --build=i686-pc-mingw32
$ make > make_all.log 2>&1
$ make install > make_install.log 2>&1
Nothing fancy here.
2. For the sake of completion, here are the warnings of 'make all'
- tls_o.c:666:4: warning: assignment discards qualifiers from pointer
target type
- threads.c:110:2: warning: '_sleep' is deprecated (declared at
c:\mingw\bin\../lib/gcc/mingw32/4.5.2/../../../../include/stdlib.h:408)
- In file included from passwd.c:85:0:
../../include/ldap_pvt.h:355:30: attention : 'struct timeval'
declared inside parameter list
../../include/ldap_pvt.h:355:30: attention : visible uniquement
depuis cette définition ou déclaration, ce qui n'est probablement pas ce
que vous désirez
Let me know if you detect something here.
3. for the time being I config'd slapd like this: .../etc/slapd.conf
include C:\\MinGW\\openldap-2.4.23\\etc\\openldap/schema/core.schema
pidfile C:\\MinGW\\openldap-2.4.23\\var/run/slapd.pid
argsfile C:\\MinGW\\openldap-2.4.23\\var/run/slapd.args
database "ldif"
suffix "dc=(deleted),dc=org"
rootdn "cn=Manager,dc=(deleted),dc=org"
rootpw secret
directory C:\\MinGW\\openldap-2.4.23\\var/openldap-data/ldif
---
RUN
---
0. PATH =
/mingw/openldap-2.4.23/libexec:/mingw/openldap-2.4.23/bin:.:/usr/local/bin:/mingw/bin:/bin:/c/WINDOWS/system32:/c/WINDOWS:/c/WINDOWS/System32/Wbem:/c/Programme/OpenSSH/bin:/c/Programme/GnuTLS-2.10.1/bin
1. gdb slapd
2. result: you can spot SIGSEGV right at the beginning.
GNU gdb (GDB) 7.2
[...] This GDB was configured as "mingw32".
[...] Reading symbols from
C:\MinGW\openldap-2.4.23\libexec/slapd.exe...(no debugging symbols
found)...done.
(gdb) start
Function "main" not defined.
Make breakpoint pending on future shared library load? (y or [n]) n
Starting program: C:\MinGW\openldap-2.4.23\libexec/slapd.exe
[New Thread 3572.0xbbc]
Program received signal SIGSEGV, Segmentation fault.
0x6086ec49 in msys-1!getuid () from C:\MinGW\msys\1.0\bin\msys-1.0.dll
(gdb) quit
Fazit : I am not experienced enough to know where to start looking.
Any help will be appreciated.
Thank you,
JF
10 years, 5 months
Starttls and SSL
by ldap@mm.st
I am in the process of moving our older existing openldap server
infrastructure that we use to authenticate multiple users to our Linux
infrastructure to use RH5 openldap 2.3 server. The current ldap servers
support starttls and listen on 389 and 636. We want to continue with
this setup. While sniffing traffic using tcpdump and using various
ldapsearch options I noticed that if the client doesn't request starttls
or connect on 636 is is possible to grab a users ldap record and the
transmission is in clear text. If I authenticate to the server using
the -W option to ldapsearch the record is sent with the SSHA encrypted
password. Also in the in the tcpdump stream my password I use to
authenticate to the server is sent in clear text.
I guess this behavior is expected since the server is listening on 389
and it is up to the client to initialize the starttls session, but I was
wondering if there was a way to force the server to only use starttls on
398 and not rely on the the client to set up starttls? One option
would be to only have the server start on 636 and not have it listen on
389, but we would like to keep the same functionality if possible. Am I
missing something obvious? The only option that I see as a possiblity is
the TLSVerifyClient { never | allow | try | demand } in slapd.conf.
But, it's unclear to me if this will provide the desired effect.
10 years, 6 months
how to compile openldap with database ldbm module?
by Olivier PAVILLA
Hi everyone.
I'm on Debian Lenny 64bit.
So I want to LDAP with database ldbm. But it appears there is no way on
debian.
I got openldap 2.4.23. I did ./configure --help
It gave me this
SLAPD Backend Options:
--enable-backends enable all available backends no|yes|mod
--enable-bdb enable Berkeley DB backend no|yes|mod [yes]
--enable-dnssrv enable dnssrv backend no|yes|mod [no]
--enable-hdb enable Hierarchical DB backend no|yes|mod
There is no ldbm module anymore or what?
--
Olivier Pavilla << 仕事を探しています。求職中です。>>
S.C.I.R.C. Orléans (Bourgogne) - I.U.F.M. Centre-Val de Loire
72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1
Tel : 02-38-49-26-20 , mailto:olivier.pavilla@univ-orleans.fr
http://blog.linux-squad.com - 僕の傑作です。
"Acheté un Iphone c'est cautionné l'esclavage humain..."
10 years, 6 months
CLI remotes write, php remotes can't
by mike@grounded.net
I'm trying to find leads on what else to look for with this problem.
Locally, I can create users, etc.
From remote centos servers, I can create and read account info from command line.
However, from remotes using php-ldap, I cannot create users, only read.
I'm not sure what to provide for info just yet as there are too many variables but on the other hand, someone might immediately know what the answer is.
I suspect something to do with php-ldap, perhaps a config or something that's not allowing writes?
10 years, 6 months
Exported group can't be imported again: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
by Thomas Schweikle
Hi!
I've exported groups from a ldap server. Importin the very same
group fails:
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
schema inetorgperson is, among others included.
The group I want to add:
dn: cn=somegroup,ou=Groups,dc=example,dc=org
objectClass: posixGroups
objectClass: top
gidNumer: 3000
cn: somegroup
memberUid: someuser
Command:
# ldapadd -D cn=manager,dc=example,dc=org -W
dn: cn=somegroup,ou=Groups,dc=example,dc=org
objectClass: posixGroups
objectClass: top
gidNumer: 3000
cn: somegroup
memberUid: someuser
adding new entry "cn=somegroup,ou=Groups,dc=example,dc=org"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
Any ideas?
--
Thomas
10 years, 6 months
Kerberized LDAP not accessible
by Thomas Schweikle
Hi!
I kerberized ldap:
dn: cn=config
objectClass: olcGlobal
cn: config
olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=Users,dc=example,dc=com
olcSaslHost: srv.example.com
olcSaslRealm: EXAMPLE.COM
In /etc/ldap/ldap.conf:
BASE dc=example,dc=com
URI ldap://srv.example.com
SASL_MECH GSSAPI
In /etc/ldap.conf
base dc=example,dc=com
uri ldap://srv.example.com
ldap_version 3
rootbinddn cn=adm,dc=example,dc=com
pam_password md5
I now try to connect to my ldap server:
client:~$ kinit user
Password for user(a)EXAMPLE.COM:
client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user(a)EXAMPLE.COM
Valid starting Expires Service principal
01/21/11 11:32:03 01/21/11 21:32:03 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
renew until 01/22/11 11:31:58
client:~$ ldapsearch -H ldap://srv.example.com
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
client:~$ ldapsearch -D uid=user,dc=example,dc=com -H
ldap://srv.example.com
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password)
disallowed
The user in question exists:
dn: cn=user user,ou=Users,dc=example,dc=com
givenName: user
sn: user
cn: user user
uid: user
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user
loginShell: /bin/zsh
Any idea what is wrong? As far as I see:
I do have a tgt and thus I shall be authenticated. But I am not
granted access! Any idea why?
--
Thomas
10 years, 6 months
RE: How to enable 'pwdPolicySubentry' in ppolicy.schema
by Alexey Shalin
Thank you for your reply.
But then how can I use this:
dn: cn=search,ou=users,ou=my_dn
changetype: modify
add: pwdPolicySubentry
pwdPolicy: "cn=user,ou=pwpolicies,ou=my_dn"
I want to exclude user: search from default policy
>From docs:
Finally the account entry for the user(s) to whom this policy applies
are modified to point to the specific policy using the following LDIF
fragment:
# point the users entry to the specific policy
dn: cn=John Smith,ou=people,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicy: "cn=user,ou=pwpolicies,dc=example,dc=com"
------------------------------------------------------------------------
----
When I tried run it in my LDAP browser I got:
Line 4, Column 0: Unexpected line found: 'pwdPolicy:
"cn=user,ou=pwpolicies,ou=my_dn"'.
Line 4, Column 0: The 'add' modification operation must have at least
one value specified (Attribute: 'pwdPolicySubentry').
Line 4: Unexpected end of LDIF file. The last record will not be
committed.
Import data complete. Elapsed time: 0:00. Entries processed: 0.
Warning(s): 0, error(s): 3.
Can you please tell may be another way, how to exclude user:search from:
dn: cn=std, ou=ppolicy, ou=my_dn
pwdCheckModule: check_password.so
pwdMaxFailure: 6
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 7
pwdSafeModify: FALSE
pwdInHistory: 4
pwdGraceAuthNLimit: 3
pwdCheckQuality: 1
objectClass: pwdPolicy
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
pwdLockoutDuration: 18
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdLockout: TRUE
pwdMaxAge: 7776000
Thank you
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, January 21, 2011 9:36 AM
To: Alexey Shalin
Cc: openldap-technical(a)openldap.org
Subject: Re: How to enable 'pwdPolicySubentry' in ppolicy.schema
Alexey Shalin wrote:
> Hello,
>
> How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this
into
> ppolicy.schema
Never modify the schema files distributed with OpenLDAP.
> attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23
>
> NAME 'pwdPolicySubentry'
>
> DESC 'The pwdPolicy subentry in effect for this object'
>
> EQUALITY distinguishedNameMatch
>
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>
> SINGLE-VALUE
>
> USAGE directoryOperation )
>
> But after that my slapd do not started.
Of course.
Schema files are only for defining user attributes. Operational
attributes
must be implemented in code and cannot be defined from a schema config
file.
This particular attribute is already implemented in the ppolicy overlay
so
there is no need to define it again anyway.
> should I upgrade openldap to the last ver ?
That would make no difference here, but it's always best to stay up to
date.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5804 (20110120) __________
The message was checked by ESET NOD32 Antivirus.
http://www.esetnod32.ru/.ml
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5804 (20110120) __________
The message was checked by ESET NOD32 Antivirus.
http://www.esetnod32.ru/.ml
10 years, 6 months
How to enable 'pwdPolicySubentry' in ppolicy.schema
by Alexey Shalin
Hello,
How to enable 'pwdPolicySubentry' in ppolicy.schema, I added this into ppolicy.schema
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation )
But after that my slapd do not started.
bash-2.05# /usr/local/libexec/slapd -h ldaps:/// -d 259
@(#) $OpenLDAP: slapd 2.4.16 (May 23 2009 06:45:03) $
steve@solaris9:/bigdisk/SOURCES/S9/openldap-2.4.16/servers/slapd
ldap_pvt_gethostbyname_a: host=rtps, r=0
daemon_init: listen on ldaps:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps:///)
daemon: listener initialized ldaps:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
null_back_initialize: initialize null backend
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
bash-2.05#
should I upgrade openldap to the last ver ?
-------------------------------------------------------------------------------
С уважением,
Алексей Шалин
Системный Администратор
Отдел системного администрирования
ЗАО "Межбанковский процессинговый центр"
720083, Кыргызская Республика
г. Бишкек, ул. Ауэзова 1/2
тел.: +996 (312) 637738 (вн. 138)
факс: +996 (312) 637748
e-mail: a.shalin(a)ipc.kg
10 years, 6 months
can be an hdb root?
by Christ Schlacta
can I create an hdb root of ? I would like to set up a server for testing,
and i'm wondering if I can configure my server such that the root is
essentially "", or "Empty String", so that I can add dc=testing,dc=com, or I
can add ou=test1,...testn, or I can add anything else I want for
experimenting with and learning how many features of openldap work, without
having to constantly reconfigure my root, or be trapped in one awkwardly
long root.
10 years, 6 months
