openldap-technical October 2011

openldap-technical@openldap.org

85 participants
99 discussions

Removing cn=config elements (Not at runtime)
by Jeffrey Crawford 12 Oct '11

12 Oct '11

I have seen in the list archives that using ldapmodify to remove cn=config elements while openldap is running is not supported. However I do need to be able to disable overlays in certain cases sometimes (Even if it's for testing). I tried shutting down the server and then modifying the cn=config directory area, by renaming the .ldif file to ldif.disable. That seems to work but I'm wondering if there are other caveats I should be considering when performing actions like that. One thing I did notice is that it seems like the openldap server goes ahead and re-numbers the overlays so there are no gaps. however the cn=config filesystem area did NOT renumber the files and the server behaved strangely when I tried to ldapmodify the "disabled" config back into the running system. (I got a err=32 no such object using openldap 2.4.26) Stopping the server again and then renaming the extension .disable to .ldif brought everything back to where it was. As a side note the ldif I used to create the overlay is the same I tried to use in this last step. If I disable using the above method and then renumber the files myself before restarting the server I'm able to add the the config back in using ldapmodify but it prompts the question what else should I be considering. Thanks Jeffrey

2 1

howto distribute logs in multiple files
by Olivier 12 Oct '11

12 Oct '11

Hi, is there a way to distribute various openldap loglevels in different files ? Let say, I want ACL Stats and Sync so I add: olcLogLevel: sync stats ACL Is there any way to distribute logs into files : /var/log/ldap/ldap-sync /var/log/ldap/ldap-stats /var/log/ldap/ldap-ACL Thanks, --- Olivier

3 5

Partial and Fractional Replication Details
by Jeffrey Crawford 11 Oct '11

11 Oct '11

I've been playing around with replication trying to prepare a deployment into our enterprise so I've been trying to put syncrepl through it's paces. As such I've been discovering some behaviors that may be intended but have me scratching my head a little. Since Openldap is using replication accounts and we have some pretty specific security models it's desirable to have partial and fractional replication restrictions placed on the replication account itself and the syncrepl filter simply use the default 'objectClass=*'. The "scratching my head" part shows up if I want to try to modify the permissions of the replication account to see more or less of the supplier database. There doesn't seem to be a way to get the replica to just ignore session/accesslogs and perform a comparative sync to match it's data to the view it has of the source. Process intensive I know but would only need to be done when we make those kinds of changes I then assumed since syncrepl is on the "client" side of things, it might try to re-sync if the syncrepl filter was updated. However that also didn't bring the replication accounts view of thing in sync with it's local database. even starting slapd with -c "rid=##,csn=0" didn't work. Furthermore when I took permissions away from the replication account so it could no longer see record(s), if that record was still present from it's earlier sync it would receive changes (presumibly from the accesslog delta-syncrepl access) and apply them to the replica. That means that there is no way to really restrict a replication accounts access to sensitive data if it needs read access to cn=accesslog. Does the synclog act in a simmilar manner? (I didn't seem like it but I didn't get all the details yet about how that works). If the sessionlog and accesslog are not configured then everything falls back to present and delete states which can be a lot of traffic if we have a batch job run that only changes a few attributes. however it looks like that may be the safest way to proceed. Any other ideas about what to try or to clarify my understanding of this system would be appreciated. Sorry to be so long winded but I want to make sure that I'm considering all the variables in this project since we may be stuck with it for a while ;) Thanks Jeffrey

1 0

Re: syncrepl tls_cert file not red ?
by Olivier 11 Oct '11

11 Oct '11

Thanks Quanah. I think I will wait then (-: Best --- Olivier On Tue, Oct 11, 2011 at 6:54 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, October 11, 2011 12:49 PM +0200 Olivier <ldap(a)guillard.nom.fr> > wrote: > >> mmhhh.. >> >> In summary : >> >> I manage to set up servers so that usual clients can use TLS >> to connect to the server (ldapsearch with -ZZ works) > > Rebuild your OpenLDAP against OpenSSL, or get the latest 2.4.26 and the > numerous patches to MozNSS since 2.4.26 was released, or wait until 2.4.27 > is released. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

LDAPCon MDB presentation
by Howard Chu 11 Oct '11

11 Oct '11

My paper and slides are now available here. Will upload to openldap.org site later. http://highlandsun.com/hyc/mdb/20111010LDAPCon%20MDB.pdf (paper) http://highlandsun.com/hyc/mdb/20111010LDAPCon-MDB.pdf (slides) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Creating samba3 users with phpldapadmin
by Juan Diego Calle 10 Oct '11

10 Oct '11

Hi I have a problem with samba3 users created over phpldapadmin, the users created over phpldapadmin can log in from their windows machines. I if try to use smbclient to log I receive this NT_STATUS_PASSWORD_MUST_CHANGE if I try to change the password with smbldap-passwd I receive this Failed to modify shadowLastChange: attribute 'shadowLastChange' not allowed at /usr/sbin/smbldap-passwd line 292, <STDIN> line 2. Failed to modify shadowMax: attribute 'shadowMax' not allowed at /usr/sbin/smbldap-passwd line 299, <STDIN> line 2. So looking around it seems like the problem is that users dont have the objectClass shadowAccount. It seems that phpldapadmin doesnt use. When I add the objectClass shadow account, from windows, I manage to log on to windows the first time then It asks me to change the password, then I can log in anymore. For some reason all the users created from phpldapadmin have the uid 1000, i changed one from my test users to 6000 but i have the same results: windows users: The User name or password is incorrect. When use smbclient i have no problems listing the file. I can find any error on samba or ldap. This is the log when I try to log with the user "testuser2" 6927679-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed 6927680-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=38 SEARCH RESULT tag=101 err=0 nentries=0 text= 6927681-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-2))" 6927682-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 6927683-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed 6927684-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SEARCH RESULT tag=101 err=0 nentries=0 text= 6927685-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-11))" 6927686-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 6927687-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed 6927688-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SEARCH RESULT tag=101 err=0 nentries=0 text= 6927689:Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser2))" 6927690-Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 6927691-Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SEARCH RESULT tag=101 err=0 nentries=1 text= 6927692-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(uid=administrator)(objectClass=sambaSamAccount))" 6927693-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos 6927694-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SEARCH RESULT tag=101 err=0 nentries=1 text= 6927695-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))" 6927696-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 6927697-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SEARCH RESULT tag=101 err=0 nentries=0 text= 6927698-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=43 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))" 6927699-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=43 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass I can log with users created with smbldap-tools, Juan Diego

1 0

TLS very strange behaviour
by Olivier 10 Oct '11

10 Oct '11

Hello, I have two ldap servers, my goal is to configure them in multimaster mode with an sasl authentication based on certificates. With the following configurations, that works well : ### slapd.conf for ldap1 : syncrepl rid=121 provider=ldap://ldap2.example.fr searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:00:05 retry="10 +" bindmethod=sasl saslmech=external authcid="cn=replicator,ou=system,dc=example,dc=fr" authzid="dn:cn=replicator,ou=system,dc=example,dc=fr" tls_cert=/etc/openldap/cacerts/syncrepl.crt tls_key=/etc/openldap/cacerts/syncrepl.key tls_reqcert=demand mirrormode on ### slapd.conf for ldap1 : syncrepl rid=121 provider=ldap://ldap2.example.fr searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:00:05 retry="10 +" bindmethod=sasl saslmech=external authcid="cn=replicator,ou=system,dc=example,dc=fr" authzid="dn:cn=replicator,ou=system,dc=example,dc=fr" tls_cert=/etc/openldap/cacerts/syncrepl.crt tls_key=/etc/openldap/cacerts/syncrepl.key tls_reqcert=demand mirrormode on # of course I have provided the CA certificate in both files. TLSCACertificateFile /etc/openldap/cacerts/CA.crt # I also configured properly acl for "replicator" # and have issued the right certificate -> No problem, it works. Now I also have configured certificates to be able to talk with the servers on TLS : ### slapd.conf for ldap1 : TLSCertificateFile /etc/openldap/cacerts/server1.crt TLSCertificateKeyFile /etc/openldap/cacerts/server1.key TLSCipherSuite HIGH ### slapd.conf for ldap2 : TLSCertificateFile /etc/openldap/cacerts/server2.crt TLSCertificateKeyFile /etc/openldap/cacerts/server2.key TLSCipherSuite HIGH That also works perfectly ( ldapsearch with -ZZ responds properly ) I therefore decided to try to starttls for synchronisation. I added in syncrepl for ldap1 : ## ldap1 syncrepl ... starttls=yes tls_cacert=/etc/openldap/cacerts/CA.crt ... And the synchronizations worked well, TLS being started when ldap1 is client. I then added the starttls directive on server ldap2 and removed it on server ldap1 : ## ldap2 syncrepl ... starttls=yes tls_cacert=/etc/openldap/cacerts/CA.crt ... The synchronization also worked well, TLS being started this time when ldap2 is client. HERE IS THE PROBLEM : II tried to starttls in bothe syncrepl directives on both servers ldap1 and ldap2, here is what I get : ldap1 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync ... TLS: error: accept - force handshake failure: errno 11 - moznss error -12273 TLS: can't accept: TLS error -12273:Unknown code ___P 15. TLS: error: connect - force handshake failure: errno 0 - moznss error -12272 TLS: can't connect: TLS error -12272:Unknown code ___P 16. slap_client_connect: URI=ldap://ldap2.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap2.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=121 rc -6 retrying ldap2 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync ... TLS: error: connect - force handshake failure: errno 0 - moznss error -12272 TLS: can't connect: TLS error -12272:Unknown code ___P 16. slap_client_connect: URI=ldap://ldap1.eaxample.fr:389 Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr:389 ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying TLS: error: accept - force handshake failure: errno 11 - moznss error -12273 TLS: can't accept: TLS error -12273:Unknown code ___P 15. Any idea ? --- Olivier

2 1

Overlays: using search attributes
by Johan Jakus 10 Oct '11

10 Oct '11

Hello everyone, As mentioned before, I'm working on an overlay. And, I need to retrieve all the attributes send with the search request. Here is a part of my source: AttributeDescription* patt = op->oq_search.rs_attrs->an_desc; while(patt != NULL) { fprintf(fdebug, "attributes: %*s \n", (int) patt->ad_cname.bv_len, patt->ad_cname.bv_val); patt = patt->ad_next; } This only writes the name of the first attribute to the "fdebug" file. And the "patt->ad_next" is NULL (even when I've lots of attributes in my request). I tried using the AttributeName with the "an_name", but in the AttibuteName structure there is no pointer to the next AttibuteName. I could realy use some help! Thanks! Johan Jakus

2 1

State of the relay backend and rwm overlay, is it safe?
by Jeffrey Crawford 09 Oct '11

09 Oct '11

Hello, I'm sorry if this is answered somewhere already but I haven't found it. In short we need to re-map some attributes for specific replication schenerios where the replica actually records the data that we've mapped on the master server. Everything works as needed however I did notice that both relay and rwm have been tagged as experimental. This would be used in a production environment so I'm trying to get a sense if I can offer to use these features in our architechture. Or if these backends/overlays are not considered safe to use. I'm using openldap 2.4.26 Thanks Jeffrey

4 4

Re: Patching openldap?
by Christian Manal 09 Oct '11

09 Oct '11

Am 07.10.2011 23:58, schrieb NetNinja: > Ok that's good to know. > I was reading in the book "Solaris 10 System Administration Essential" > and it says on pg 365 that the openldap server needs to be patched so > that the ldapclient init utility will configure properly. > > Do you happen to remeber how you setup the Solaris Native client? This > my current issue, I installed openldap on a RHEL 5.5 server and have all > the Linux servers working with the ldap server but the Solaris servers > won't let me login as a ldap user. I can do a ldapsearch, id, getent and > get info on ldap users. I am in the process of troubleshooting the issue > and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, > uatomount or replication. I will add these later when I know what i'm doing. > > Anyway thanks for your help. If you have any advice on ldapclient setup > let me know. > > On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal > <moenoel(a)informatik.uni-bremen.de > <mailto:moenoel@informatik.uni-bremen.de>> wrote: > > Am 07.10.2011 20:25, schrieb NetNinja: > > Hello, > > I have been reading up on OpenLDAP. I have installed it on RHEL > 5.5 but > > I have seen documention saying that openldap needs to be patched > to work > > with Solaris. Can someone tell me if this still the case and if so > where > > to get the patch. If not any info you can provide wold be great. > > > > Thanks > > > > > > Hi, > > I've been running OpenLDAP on Solaris 10 for years now. It works out of > the tarball, no patches needed. > > > Regards, > Christian Manal > > > > > Here's an example of an ldapclient invocation that works for me: ldapclient manual \ -a authenticationMethod="tls:simple" \ -a credentialLevel="proxy" \ -a defaultSearchBase="dc=example,dc=org" \ -a defaultSearchScope="sub" \ -a defaultServerList="ldap1.example.org,ldap2.example.org" \ -a domainName="example.org" \ -a preferredServerList="ldap1.example.org,ldap2.example.org" \ -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ -a serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" \ -a attributeMap="auto_home:automountMapName=ou" \ -a attributeMap="auto_home:automountKey=cn" \ -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ -a proxyPassword="foobar" Before you invoke that, you need to modify /etc/nsswitch.ldap to your needs (ldapclient will copy that to /etc/nsswitch.conf). You also need to put your TLS certs into /var/ldap in NSS format (you can generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP authentication. Regards, Christian Manal [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

2 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2011