openldap-technical October 2011

openldap-technical@openldap.org

85 participants
99 discussions

Re: [Autofs for Linux and OSX] back-relay ? aliases ?
by Frava 28 Oct '11

28 Oct '11

Well, if your automount-informations are not the same on both OSes then you clearly have to duplicate/arrange them ;). People here use several programs which save the working directory for each project. That (and the fact that users can log onto whatever worstation they want to) makes me mount all the nfs directories in the same place on each computer. Cheers, Rafael. 2011/10/28 myron <kowalskM(a)cs.moravian.edu> > I ran into the same config issue. I ended up duplicating the maps because I > had the macs mount on /home and linux on /users; > otherwise, I would have just renamed the auto maps on either OS to be the > same. > > --myron > ==============================**=== > Myron Kowalski > MoCoSIN Network/Systems Administrator > Moravian College > myron(a)cs.moravian.edu > > > > > On Oct 28, 2011, at 10:13 AM, Frava wrote: > > Hello, >> >> I'm configuring Autofs maps via OpenLDAP for some OS X (10.5/6/7) and >> Linux CentOS (5/6) boxes, and I'm running into a little problem. >> >> OS X needs to have an "automountMapName=auto_master" and >> "automountMapName=auto_home" located in "cn=automountMap,dc=subnet,dc=** >> example,dc=com" >> Linux needs to have an "automountMapName=auto.master" and >> "automountMapName=auto.home" located wherever I want in >> "dc=subnet,dc=example,dc=com" >> >> The entries contained in "automountMapName=auto_home" and >> "automountMapName=auto.home" will be exactly the same ones; SO >> what is the best way to implement it without duplicate them ? Using >> aliases or rwm+relay ? >> >> Cheers, >> Rafael. >> > >

1 0

Re: LDAP + Freeradius + Samba
by Andreas Rudat 28 Oct '11

28 Oct '11

Am 28.10.2011 09:44, schrieb Stewart Walters: > On any given Linux system (assuming that's what your using), NSS and PAM do all the authentication. > > In terms of client tools, they link to (and therefore leverage) NSS and PAM, which OpemLDAP plugs in to. > > It's often irrelevant if you use ntlm_pam, mschap, samba+winbind, pam_ldap, freeradius, Authz or any other client tool. They all link back to NSS and PAM, which when configured correctly plugs in to OpenLDAP. > > Stewart Ok thanks but if I don't missunderstand the documentation, then it only works with clear passwords? But is it save enough then? Because peap isn't supported then, too. Andreas > > On 28/10/2011, at 2:49 PM, Andreas Rudat <rudat(a)endstelle.de> wrote: > >> Am 28.10.2011 04:28, schrieb Stewart Walters: >>> Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto. >>> >>> Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema. >>> >>> There are numerous howto's available on the web for how to implement either. >>> >>> >>> >>> >>> On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote: >>> >>>> Hello, >>>> >>>> I got openldap running as user db for samba, now I want to use it also >>>> as database for radius, I think it should be possible to use it without >>>> big modifications or? >>>> >>>> Thanks >>>> >> ok thanks, I will look. Another question is, does I need any other >> client tools for windows/linux? At the moment I'm using ntlm_auth + mschap >> >> Andreas >> >> -- >> >> -----BEGIN PGP PUBLIC KEY BLOCK----- >> Version: GnuPG v2.0.17 (MingW32) >> >> mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p >> YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 >> QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp >> gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r >> STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH >> YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 >> jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S >> wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf >> wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl >> LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA >> CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih >> XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt >> PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR >> hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo >> YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh >> bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn >> tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 >> teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv >> 33k4P9hxJKHNqLYJN+Gn >> =UaS9 >> -----END PGP PUBLIC KEY BLOCK----- >> -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -----END PGP PUBLIC KEY BLOCK-----

1 0

back-config and Post Read Control?
by Michael Ströder 28 Oct '11

28 Oct '11

HI! Does back-config support the Post Read Control? That would be handy for retrieving the renumbered DN after an Add or Modify request. Ciao, Michael.

4 6

Re: LDAP + Freeradius + Samba
by Andreas Rudat 27 Oct '11

27 Oct '11

Am 28.10.2011 04:28, schrieb Stewart Walters: > Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto. > > Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema. > > There are numerous howto's available on the web for how to implement either. > > > > > On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote: > >> Hello, >> >> I got openldap running as user db for samba, now I want to use it also >> as database for radius, I think it should be possible to use it without >> big modifications or? >> >> Thanks >> ok thanks, I will look. Another question is, does I need any other client tools for windows/linux? At the moment I'm using ntlm_auth + mschap Andreas

1 0

Referral and Chain configuration and multiple directories
by sim sim 27 Oct '11

27 Oct '11

Hi All, I have an LDAP server running with all users and respective groups say ( a.example.net). I was wondering if there is any way I could separate user subtree into another OpenLDAP server (b.example.net) and still be able to define those users as member of groups in a.example.net (for a new requirement). Basically I want to separate user repository (which is global) from all other subsystems like my groups or organization units which contains these users as members. If its possible, please point me to the documentation, I tried searching all over but could not find enough example of Referrals or proxying. Another thing I would like to understand that is it a good idea to create another directory server just for user authentication and read, how common it is? Or should I consider replication? Thanks for the help and support.

1 0

LDAP + Freeradius + Samba
by Andreas Rudat 27 Oct '11

27 Oct '11

Hello, I got openldap running as user db for samba, now I want to use it also as database for radius, I think it should be possible to use it without big modifications or? Thanks

2 1

New overlay, your opinion?
by Johan Jakus 27 Oct '11

27 Oct '11

Hi everyone, I've been developing an overlay and I got to a well working solution. But,I would really appreciate your opinions about it before sending it to the contribs. You can see my source on my site: http://www.dataworld.be/johan/openldap/parsearch/parsearch.htm Since I'm a student and I needed to this for my stage, I'will have to write a rapport on how to write an overlay for OverLDAP, I'll be glad to share it as a tutorial for the next overlay developers. Thanks allot! Johan Jakus

2 6

password-policy configuration problems: cannot change passwords
by Marco Weber 27 Oct '11

27 Oct '11

Hello, i'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore. ldappasswd -D cn=username,dc=domain,dc=tld -S -W New password: ******** Re-enter new password: ******** Enter LDAP Password: ******** Result: Constraint violation (19) Additional info: Password policy only allows one password value this is my default password policy: dn: cn=password-policy,dc=policies,dc=domain,dc=tld objectClass: person objectClass: pwdPolicy objectClass: top cn: password-policy pwdAttribute: userPassword sn: Default Password Policy pwdAllowUserChange: TRUE pwdExpireWarning: 604800 pwdInHistory: 3 pwdLockout: TRUE pwdLockoutDuration: 7200 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 180 pwdMinLength: 8 pwdMustChange: TRUE this is my password policy configuration: dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld olcPPolicyUseLockout: TRUE Does anyone know what to do? Thanks in advance for any reply, Marco

2 6

Securing cn=config and allowing micro-engineering
by Nick Milas 26 Oct '11

26 Oct '11

Hello, Having migrated from slapd.conf, I would like to ask some questions regarding cases/scenarios where someone - unintentionally - breaks the configuration. So, let's assume that, due to some misspelling or use of wrong values (esp. when using a graphical LDAP Browser - like JXplorer - to maintain the configuration DIT), we have added/modified a setting that would break the installation without warning. *Question 1*: Are there cases where: 1/ LDAP Server will stop immediately? (It is stated that "Beware: You can configure cn=config to an unusable state.", ref. with example: http://www.zytrax.com/books/ldap/ch6/slapd-config.html) 2/ LDAP Server will continue to operate but, if stopped, when restarted it will not be able to restart? If the answer to Q1.2 above is yes: *Question 2*: How can we test at any given point the current configuration to make sure it will be OK if/when restarted (AFAIK, slaptest only tests slapd.conf and not slapd.d configuration)? *Question 3* (especially critical if the answer to Q1.1 or Q1.2 above is yes): If the server is stopped, how can we change manually the config settings (e.g. by editing slapd.d/ files) to attempt to correct it? (In one such test I did, I changed - directly in "cn=config.ldif" file - olcLogLevel as follows: Initial state: olcLogLevel: Config olcLogLevel: Sync New state (removed one attribute value and changed the other): olcLogLevel: -1 and when I tried to start I got: ldif_read_file: checksum error on "/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif" so I had to re-edit the file and change the values as they were initially, which allowed the server to start. So (to *repeat Question 3*), how can we "re-engineer" cn=config settings when off-line? It is always desirable to be able to do some "low-level engineering" to the configuration (under administrator's or system engineer's responsibility) in case something goes wrong. This is also important in cases of "cloning" the server where we want a copy of the config but we need to change a few settings in the new context. We need to avoid things like "checksum error"! Finally, there might be cases where - after having migrated and worked for a period using cn=config - business/technical needs require the use of overlay(s) or other modules like SLAPI, which would not be supported by cn=config and someone would need to move to slapd.conf configuration (at least temporarily). If such a need arises, *Question 4*: Is there a tool/method to "migrate" to slapd.conf from a slapd.d configuration? Thanks in advance, Nick

9 17

bdb version(s)
by Brett ＠Google 26 Oct '11

26 Oct '11

Hello, Anybody want to comment with regards to what version of bdb they have in use & what they recommend ? Personally i have in installations running 4.8 and 5.2, and both seem fine. Cheers Brett -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2011