Re: [Autofs for Linux and OSX] back-relay ? aliases ?
by Frava
Well, if your automount-informations are not the same on both OSes then you
clearly have to duplicate/arrange them ;).
People here use several programs which save the working directory for each
project. That (and the fact that users can log onto whatever worstation they
want to) makes me mount all the nfs directories in the same place on each
computer.
Cheers,
Rafael.
2011/10/28 myron <kowalskM(a)cs.moravian.edu>
> I ran into the same config issue. I ended up duplicating the maps because I
> had the macs mount on /home and linux on /users;
> otherwise, I would have just renamed the auto maps on either OS to be the
> same.
>
> --myron
> ==============================**===
> Myron Kowalski
> MoCoSIN Network/Systems Administrator
> Moravian College
> myron(a)cs.moravian.edu
>
>
>
>
> On Oct 28, 2011, at 10:13 AM, Frava wrote:
>
> Hello,
>>
>> I'm configuring Autofs maps via OpenLDAP for some OS X (10.5/6/7) and
>> Linux CentOS (5/6) boxes, and I'm running into a little problem.
>>
>> OS X needs to have an "automountMapName=auto_master" and
>> "automountMapName=auto_home" located in "cn=automountMap,dc=subnet,dc=**
>> example,dc=com"
>> Linux needs to have an "automountMapName=auto.master" and
>> "automountMapName=auto.home" located wherever I want in
>> "dc=subnet,dc=example,dc=com"
>>
>> The entries contained in "automountMapName=auto_home" and
>> "automountMapName=auto.home" will be exactly the same ones; SO
>> what is the best way to implement it without duplicate them ? Using
>> aliases or rwm+relay ?
>>
>> Cheers,
>> Rafael.
>>
>
>
12 years, 1 month
Re: LDAP + Freeradius + Samba
by Andreas Rudat
Am 28.10.2011 09:44, schrieb Stewart Walters:
> On any given Linux system (assuming that's what your using), NSS and PAM do all the authentication.
>
> In terms of client tools, they link to (and therefore leverage) NSS and PAM, which OpemLDAP plugs in to.
>
> It's often irrelevant if you use ntlm_pam, mschap, samba+winbind, pam_ldap, freeradius, Authz or any other client tool. They all link back to NSS and PAM, which when configured correctly plugs in to OpenLDAP.
>
> Stewart
Ok thanks but if I don't missunderstand the documentation, then it only
works with clear passwords? But is it save enough then? Because peap
isn't supported then, too.
Andreas
>
> On 28/10/2011, at 2:49 PM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>
>> Am 28.10.2011 04:28, schrieb Stewart Walters:
>>> Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto.
>>>
>>> Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema.
>>>
>>> There are numerous howto's available on the web for how to implement either.
>>>
>>>
>>>
>>>
>>> On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>>>
>>>> Hello,
>>>>
>>>> I got openldap running as user db for samba, now I want to use it also
>>>> as database for radius, I think it should be possible to use it without
>>>> big modifications or?
>>>>
>>>> Thanks
>>>>
>> ok thanks, I will look. Another question is, does I need any other
>> client tools for windows/linux? At the moment I'm using ntlm_auth + mschap
>>
>> Andreas
>>
>> --
>>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p
>> YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1
>> QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp
>> gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r
>> STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH
>> YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9
>> jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S
>> wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf
>> wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl
>> LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
>> CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih
>> XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt
>> PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR
>> hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo
>> YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh
>> bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn
>> tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1
>> teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv
>> 33k4P9hxJKHNqLYJN+Gn
>> =UaS9
>> -----END PGP PUBLIC KEY BLOCK-----
>>
--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p
YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1
QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp
gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r
STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH
YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9
jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S
wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf
wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl
LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih
XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt
PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR
hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo
YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh
bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn
tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1
teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv
33k4P9hxJKHNqLYJN+Gn
=UaS9
-----END PGP PUBLIC KEY BLOCK-----
12 years, 1 month
back-config and Post Read Control?
by Michael Ströder
HI!
Does back-config support the Post Read Control? That would be handy for
retrieving the renumbered DN after an Add or Modify request.
Ciao, Michael.
12 years, 1 month
Re: LDAP + Freeradius + Samba
by Andreas Rudat
Am 28.10.2011 04:28, schrieb Stewart Walters:
> Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto.
>
> Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema.
>
> There are numerous howto's available on the web for how to implement either.
>
>
>
>
> On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>
>> Hello,
>>
>> I got openldap running as user db for samba, now I want to use it also
>> as database for radius, I think it should be possible to use it without
>> big modifications or?
>>
>> Thanks
>>
ok thanks, I will look. Another question is, does I need any other
client tools for windows/linux? At the moment I'm using ntlm_auth + mschap
Andreas
12 years, 1 month
Referral and Chain configuration and multiple directories
by sim sim
Hi All,
I have an LDAP server running with all users and respective groups say (
a.example.net). I was wondering if there is any way I could separate user
subtree into another OpenLDAP server (b.example.net) and still be able to
define those users as member of groups in a.example.net (for a new
requirement). Basically I want to separate user repository (which is global)
from all other subsystems like my groups or organization units which
contains these users as members. If its possible, please point me to the
documentation, I tried searching all over but could not find enough example
of Referrals or proxying. Another thing I would like to understand that is
it a good idea to create another directory server just for user
authentication and read, how common it is? Or should I consider replication?
Thanks for the help and support.
12 years, 1 month
LDAP + Freeradius + Samba
by Andreas Rudat
Hello,
I got openldap running as user db for samba, now I want to use it also
as database for radius, I think it should be possible to use it without
big modifications or?
Thanks
12 years, 1 month
New overlay, your opinion?
by Johan Jakus
Hi everyone,
I've been developing an overlay and I got to a well working solution.
But,I would really appreciate your opinions about it before sending it to
the contribs.
You can see my source on my site:
http://www.dataworld.be/johan/openldap/parsearch/parsearch.htm
Since I'm a student and I needed to this for my stage,
I'will have to write a rapport on how to write an overlay for OverLDAP,
I'll be glad to share it as a tutorial for the next overlay developers.
Thanks allot!
Johan Jakus
12 years, 1 month
password-policy configuration problems: cannot change passwords
by Marco Weber
Hello,
i'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
ldappasswd -D cn=username,dc=domain,dc=tld -S -W
New password: ********
Re-enter new password: ********
Enter LDAP Password: ********
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
Does anyone know what to do?
Thanks in advance for any reply,
Marco
12 years, 1 month
Securing cn=config and allowing micro-engineering
by Nick Milas
Hello,
Having migrated from slapd.conf, I would like to ask some questions
regarding cases/scenarios where someone - unintentionally - breaks the
configuration.
So, let's assume that, due to some misspelling or use of wrong values
(esp. when using a graphical LDAP Browser - like JXplorer - to maintain
the configuration DIT), we have added/modified a setting that would
break the installation without warning.
*Question 1*:
Are there cases where:
1/ LDAP Server will stop immediately? (It is stated that "Beware: You
can configure cn=config to an unusable state.", ref. with example:
http://www.zytrax.com/books/ldap/ch6/slapd-config.html)
2/ LDAP Server will continue to operate but, if stopped, when restarted
it will not be able to restart?
If the answer to Q1.2 above is yes:
*Question 2*:
How can we test at any given point the current configuration to make
sure it will be OK if/when restarted (AFAIK, slaptest only tests
slapd.conf and not slapd.d configuration)?
*Question 3* (especially critical if the answer to Q1.1 or Q1.2 above is
yes):
If the server is stopped, how can we change manually the config settings
(e.g. by editing slapd.d/ files) to attempt to correct it?
(In one such test I did, I changed - directly in "cn=config.ldif" file -
olcLogLevel as follows:
Initial state:
olcLogLevel: Config
olcLogLevel: Sync
New state (removed one attribute value and changed the other):
olcLogLevel: -1
and when I tried to start I got:
ldif_read_file: checksum error on
"/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif"
so I had to re-edit the file and change the values as they were
initially, which allowed the server to start.
So (to *repeat Question 3*), how can we "re-engineer" cn=config settings
when off-line? It is always desirable to be able to do some "low-level
engineering" to the configuration (under administrator's or system
engineer's responsibility) in case something goes wrong. This is also
important in cases of "cloning" the server where we want a copy of the
config but we need to change a few settings in the new context. We need
to avoid things like "checksum error"!
Finally, there might be cases where - after having migrated and worked
for a period using cn=config - business/technical needs require the use
of overlay(s) or other modules like SLAPI, which would not be supported
by cn=config and someone would need to move to slapd.conf configuration
(at least temporarily). If such a need arises,
*Question 4*:
Is there a tool/method to "migrate" to slapd.conf from a slapd.d
configuration?
Thanks in advance,
Nick
12 years, 1 month
bdb version(s)
by Brett @Google
Hello,
Anybody want to comment with regards to what version of bdb they have in use
& what they recommend ?
Personally i have in installations running 4.8 and 5.2, and both seem fine.
Cheers
Brett
--
*The only thing that interferes with my learning is my education.*
*
Albert Einstein*
12 years, 1 month
