Removing cn=config elements (Not at runtime)
by Jeffrey Crawford
I have seen in the list archives that using ldapmodify to remove
cn=config elements while openldap is running is not supported.
However I do need to be able to disable overlays in certain cases
sometimes (Even if it's for testing). I tried shutting down the server
and then modifying the cn=config directory area, by renaming the .ldif
file to ldif.disable. That seems to work but I'm wondering if there are
other caveats I should be considering when performing actions like that.
One thing I did notice is that it seems like the openldap server goes
ahead and re-numbers the overlays so there are no gaps. however the
cn=config filesystem area did NOT renumber the files and the server
behaved strangely when I tried to ldapmodify the "disabled" config back
into the running system. (I got a err=32 no such object using openldap
2.4.26) Stopping the server again and then renaming the extension
.disable to .ldif brought everything back to where it was. As a side
note the ldif I used to create the overlay is the same I tried to use in
this last step.
If I disable using the above method and then renumber the files myself
before restarting the server I'm able to add the the config back in
using ldapmodify but it prompts the question what else should I be
considering.
Thanks Jeffrey
12 years, 1 month
howto distribute logs in multiple files
by Olivier
Hi,
is there a way to distribute various openldap loglevels in different files ?
Let say, I want ACL Stats and Sync
so I add:
olcLogLevel: sync stats ACL
Is there any way to distribute logs into files :
/var/log/ldap/ldap-sync
/var/log/ldap/ldap-stats
/var/log/ldap/ldap-ACL
Thanks,
---
Olivier
12 years, 1 month
Partial and Fractional Replication Details
by Jeffrey Crawford
I've been playing around with replication trying to prepare a deployment
into our enterprise so I've been trying to put syncrepl through it's paces.
As such I've been discovering some behaviors that may be intended but
have me scratching my head a little.
Since Openldap is using replication accounts and we have some pretty
specific security models it's desirable to have partial and fractional
replication restrictions placed on the replication account itself and
the syncrepl filter simply use the default 'objectClass=*'.
The "scratching my head" part shows up if I want to try to modify the
permissions of the replication account to see more or less of the
supplier database. There doesn't seem to be a way to get the replica to
just ignore session/accesslogs and perform a comparative sync to match
it's data to the view it has of the source. Process intensive I know but
would only need to be done when we make those kinds of changes
I then assumed since syncrepl is on the "client" side of things, it
might try to re-sync if the syncrepl filter was updated. However that
also didn't bring the replication accounts view of thing in sync with
it's local database. even starting slapd with -c "rid=##,csn=0" didn't work.
Furthermore when I took permissions away from the replication account so
it could no longer see record(s), if that record was still present from
it's earlier sync it would receive changes (presumibly from the
accesslog delta-syncrepl access) and apply them to the replica. That
means that there is no way to really restrict a replication accounts
access to sensitive data if it needs read access to cn=accesslog. Does
the synclog act in a simmilar manner? (I didn't seem like it but I
didn't get all the details yet about how that works).
If the sessionlog and accesslog are not configured then everything falls
back to present and delete states which can be a lot of traffic if we
have a batch job run that only changes a few attributes. however it
looks like that may be the safest way to proceed.
Any other ideas about what to try or to clarify my understanding of this
system would be appreciated.
Sorry to be so long winded but I want to make sure that I'm considering
all the variables in this project since we may be stuck with it for a
while ;)
Thanks Jeffrey
12 years, 1 month
Re: syncrepl tls_cert file not red ?
by Olivier
Thanks Quanah.
I think I will wait then (-:
Best
---
Olivier
On Tue, Oct 11, 2011 at 6:54 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, October 11, 2011 12:49 PM +0200 Olivier <ldap(a)guillard.nom.fr>
> wrote:
>
>> mmhhh..
>>
>> In summary :
>>
>> I manage to set up servers so that usual clients can use TLS
>> to connect to the server (ldapsearch with -ZZ works)
>
> Rebuild your OpenLDAP against OpenSSL, or get the latest 2.4.26 and the
> numerous patches to MozNSS since 2.4.26 was released, or wait until 2.4.27
> is released.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
12 years, 1 month
Creating samba3 users with phpldapadmin
by Juan Diego Calle
Hi
I have a problem with samba3 users created over phpldapadmin, the users created over phpldapadmin can log in from their windows machines. I if try to use smbclient to log I receive this NT_STATUS_PASSWORD_MUST_CHANGE
if I try to change the password with smbldap-passwd I receive this
Failed to modify shadowLastChange: attribute 'shadowLastChange' not allowed at /usr/sbin/smbldap-passwd line 292, <STDIN> line 2.
Failed to modify shadowMax: attribute 'shadowMax' not allowed at /usr/sbin/smbldap-passwd line 299, <STDIN> line 2.
So looking around it seems like the problem is that users dont have the objectClass shadowAccount. It seems that phpldapadmin doesnt use.
When I add the objectClass shadow account, from windows, I manage to log on to windows the first time then It asks me to change the password, then I can log in anymore. For some reason all the users created from phpldapadmin have the uid 1000, i changed one from my test users to 6000 but i have the same results:
windows users: The User name or password is incorrect.
When use smbclient i have no problems listing the file. I can find any error on samba or ldap.
This is the log when I try to log with the user "testuser2"
6927679-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed
6927680-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=38 SEARCH RESULT tag=101 err=0 nentries=0 text=
6927681-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-2))"
6927682-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
6927683-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed
6927684-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=39 SEARCH RESULT tag=101 err=0 nentries=0 text=
6927685-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-11))"
6927686-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
6927687-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: <= bdb_equality_candidates: (sambaSID) not indexed
6927688-Oct 10 17:06:27 prosrvuiosmb151 slapd[13037]: conn=52 op=40 SEARCH RESULT tag=101 err=0 nentries=0 text=
6927689:Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser2))"
6927690-Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
6927691-Oct 10 17:06:34 prosrvuiosmb151 slapd[13037]: conn=5 op=697 SEARCH RESULT tag=101 err=0 nentries=1 text=
6927692-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(uid=administrator)(objectClass=sambaSamAccount))"
6927693-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
6927694-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=41 SEARCH RESULT tag=101 err=0 nentries=1 text=
6927695-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))"
6927696-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
6927697-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=42 SEARCH RESULT tag=101 err=0 nentries=0 text=
6927698-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=43 SRCH base="dc=mydomain,dc=com,dc=ec" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))"
6927699-Oct 10 17:06:37 prosrvuiosmb151 slapd[13037]: conn=52 op=43 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
I can log with users created with smbldap-tools,
Juan Diego
12 years, 1 month
TLS very strange behaviour
by Olivier
Hello,
I have two ldap servers, my goal is to configure them
in multimaster mode with an sasl authentication based
on certificates. With the following configurations, that
works well :
### slapd.conf for ldap1 :
syncrepl rid=121
provider=ldap://ldap2.example.fr
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:00:05
retry="10 +"
bindmethod=sasl
saslmech=external
authcid="cn=replicator,ou=system,dc=example,dc=fr"
authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
tls_cert=/etc/openldap/cacerts/syncrepl.crt
tls_key=/etc/openldap/cacerts/syncrepl.key
tls_reqcert=demand
mirrormode on
### slapd.conf for ldap1 :
syncrepl rid=121
provider=ldap://ldap2.example.fr
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:00:05
retry="10 +"
bindmethod=sasl
saslmech=external
authcid="cn=replicator,ou=system,dc=example,dc=fr"
authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
tls_cert=/etc/openldap/cacerts/syncrepl.crt
tls_key=/etc/openldap/cacerts/syncrepl.key
tls_reqcert=demand
mirrormode on
# of course I have provided the CA certificate in both files.
TLSCACertificateFile /etc/openldap/cacerts/CA.crt
# I also configured properly acl for "replicator"
# and have issued the right certificate
-> No problem, it works.
Now I also have configured certificates to be able to talk with the
servers on TLS :
### slapd.conf for ldap1 :
TLSCertificateFile /etc/openldap/cacerts/server1.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server1.key
TLSCipherSuite HIGH
### slapd.conf for ldap2 :
TLSCertificateFile /etc/openldap/cacerts/server2.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server2.key
TLSCipherSuite HIGH
That also works perfectly ( ldapsearch with -ZZ responds properly )
I therefore decided to try to starttls for synchronisation.
I added in syncrepl for ldap1 :
## ldap1
syncrepl
...
starttls=yes
tls_cacert=/etc/openldap/cacerts/CA.crt
...
And the synchronizations worked well, TLS being started when ldap1 is client.
I then added the starttls directive on server ldap2 and removed it
on server ldap1 :
## ldap2
syncrepl
...
starttls=yes
tls_cacert=/etc/openldap/cacerts/CA.crt
...
The synchronization also worked well, TLS being started this time when
ldap2 is client.
HERE IS THE PROBLEM :
II tried to starttls in bothe syncrepl directives on both servers
ldap1 and ldap2,
here is what I get :
ldap1 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
...
TLS: error: accept - force handshake failure: errno 11 - moznss error -12273
TLS: can't accept: TLS error -12273:Unknown code ___P 15.
TLS: error: connect - force handshake failure: errno 0 - moznss error -12272
TLS: can't connect: TLS error -12272:Unknown code ___P 16.
slap_client_connect: URI=ldap://ldap2.example.fr Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap2.example.fr
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=121 rc -6 retrying
ldap2 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
...
TLS: error: connect - force handshake failure: errno 0 - moznss error -12272
TLS: can't connect: TLS error -12272:Unknown code ___P 16.
slap_client_connect: URI=ldap://ldap1.eaxample.fr:389 Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap1.example.fr:389
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=211 rc -6 retrying
TLS: error: accept - force handshake failure: errno 11 - moznss error -12273
TLS: can't accept: TLS error -12273:Unknown code ___P 15.
Any idea ?
---
Olivier
12 years, 1 month
Overlays: using search attributes
by Johan Jakus
Hello everyone,
As mentioned before, I'm working on an overlay. And, I need to retrieve all
the attributes send with the search request.
Here is a part of my source:
AttributeDescription* patt = op->oq_search.rs_attrs->an_desc;
while(patt != NULL)
{
fprintf(fdebug, "attributes: %*s \n", (int) patt->ad_cname.bv_len,
patt->ad_cname.bv_val);
patt = patt->ad_next;
}
This only writes the name of the first attribute to the "fdebug" file. And
the "patt->ad_next" is NULL (even when I've lots of attributes in my
request).
I tried using the AttributeName with the "an_name", but in the AttibuteName
structure there is no pointer to the next AttibuteName.
I could realy use some help! Thanks!
Johan Jakus
12 years, 1 month
State of the relay backend and rwm overlay, is it safe?
by Jeffrey Crawford
Hello,
I'm sorry if this is answered somewhere already but I haven't found it.
In short we need to re-map some attributes for specific replication
schenerios where the replica actually records the data that we've mapped
on the master server.
Everything works as needed however I did notice that both relay and rwm
have been tagged as experimental. This would be used in a production
environment so I'm trying to get a sense if I can offer to use these
features in our architechture. Or if these backends/overlays are not
considered safe to use.
I'm using openldap 2.4.26
Thanks
Jeffrey
12 years, 1 month
Re: Patching openldap?
by Christian Manal
Am 07.10.2011 23:58, schrieb NetNinja:
> Ok that's good to know.
> I was reading in the book "Solaris 10 System Administration Essential"
> and it says on pg 365 that the openldap server needs to be patched so
> that the ldapclient init utility will configure properly.
>
> Do you happen to remeber how you setup the Solaris Native client? This
> my current issue, I installed openldap on a RHEL 5.5 server and have all
> the Linux servers working with the ldap server but the Solaris servers
> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
> get info on ldap users. I am in the process of troubleshooting the issue
> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
> uatomount or replication. I will add these later when I know what i'm doing.
>
> Anyway thanks for your help. If you have any advice on ldapclient setup
> let me know.
>
> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
> <moenoel(a)informatik.uni-bremen.de
> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>
> Am 07.10.2011 20:25, schrieb NetNinja:
> > Hello,
> > I have been reading up on OpenLDAP. I have installed it on RHEL
> 5.5 but
> > I have seen documention saying that openldap needs to be patched
> to work
> > with Solaris. Can someone tell me if this still the case and if so
> where
> > to get the patch. If not any info you can provide wold be great.
> >
> > Thanks
> >
> >
>
> Hi,
>
> I've been running OpenLDAP on Solaris 10 for years now. It works out of
> the tarball, no patches needed.
>
>
> Regards,
> Christian Manal
>
>
>
>
>
Here's an example of an ldapclient invocation that works for me:
ldapclient manual \
-a authenticationMethod="tls:simple" \
-a credentialLevel="proxy" \
-a defaultSearchBase="dc=example,dc=org" \
-a defaultSearchScope="sub" \
-a defaultServerList="ldap1.example.org,ldap2.example.org" \
-a domainName="example.org" \
-a preferredServerList="ldap1.example.org,ldap2.example.org" \
-a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
-a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
-a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
-a
serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org"
\
-a attributeMap="auto_home:automountMapName=ou" \
-a attributeMap="auto_home:automountKey=cn" \
-a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
-a proxyPassword="foobar"
Before you invoke that, you need to modify /etc/nsswitch.ldap to your
needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
to put your TLS certs into /var/ldap in NSS format (you can
generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP
authentication.
Regards,
Christian Manal
[1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
12 years, 1 month
