openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

Enforce remote SSL/TLS
by Kasper Loopstra 24 Nov '11

24 Nov '11

Dear list, We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients. We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM. Is what we are trying to do possible with OpenLDAP? If so, could someone maybe point us to an example configuration? Thank you for your time, Kasper Loopstra.

3 3

How to remove global slapd config values
by David Donn 24 Nov '11

24 Nov '11

Hi, I set the config value for "directory" to /var/openldap-data in my slapd.conf. But now I would like to remove my setting and just go with the default for this (/var/lib/ldap AFAIK). But I can't seem to get rid of the old value. I have tried removing /etc/openldap/slapd.d/*, /var/openldap-data and /var/lib/ldap/*. Whenever I run "slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d" it complains that /var/openldap-data doesn't exist. How does it even know about this directory any more? I'm using OpenLDAP 2.4.23 on RHEL 6.1. Cheers, David

2 1

Re: Limiting host access
by Jayavant Patil 23 Nov '11

23 Nov '11

Hi, I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes). I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required. On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister <whm(a)stanford.edu> wrote: > > > --On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < > jayavant.patil82(a)gmail.com> wrote: > > Hi, >> >> I am using openldap-2.4.19-4 on fedora 12 machine. My question is as >> follows: >> >> How to restrict a user access to some client nodes? >> >> Please, explain in detail. >> > > It is not clear what you want to do. You need to provide more details > before you will get the answer that you want. > > For example, if you just want to restrict access to the directory from > some nodes, why not use iptables. > > If you are talking about restricting login access to some linux nodes > using PAM, this is probably a better question for a PAM list. Of course, > there will be folks on this list that can answer that question as well, > but not without knowing what you are storing in your directory. > > Bill > > > -- > > Bill MacAllister > Infrastructure Delivery Group, Stanford University > > -- Thanks & Regards, Jayavant Ningoji Patil +91 9923536030.

3 7

Re: OpenLDAP syncrepl woes
by Jeffrey Crawford 23 Nov '11

23 Nov '11

read that already: my original question was the following: Granted the above issues might be explained away in that we don't yet have enough ram on the machines yet, however it does seem to present us with a problem when we notice the discrepancy, how do we during run time re-sync the data from the provider server? I have tried the slapd -c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any good. (I've tried several different values of csn=0 csn=20111114000000.000000Z#000000#000#000000 etc. to no avail) from man slapadd LIMITATIONS Your slapd(8) should not be running when you do this to ensure consis- tency of the database. So how can I have slapd run, respond to what data it has currently yet understand that it will update all it's data with the source provider updating, adding, removing entries as necessary without removing the database first? Thanks Jeffrey On Tue, Nov 22, 2011 at 7:01 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, November 22, 2011 5:50 PM -0800 Jeffrey Crawford > <jeffreyc(a)ucsc.edu> wrote: > > >> Starting slapd with the -c option isn't working or I'm using the wrong >> combination. > > man "slapadd". > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Enable/Disable user account in openLDAP
by Jayavant Patil 23 Nov '11

23 Nov '11

Hi, I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking. Thanks in advance. -- Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

5 11

Problem with sambaAccount user entry
by Darko Marshauzer 23 Nov '11

23 Nov '11

Hi, I have a problem with my shares on a open-e storage. I cannot get the sambaSid of the system. However, the support of open-e advise me to add a test user entry including the objectclass sambaAccount. As I try this I run into a strage behaviour getting an Invalid syntax error. adding new entry "uid=test,ou=people,dc=xxx,dc=xx" ldapadd: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax my test user ldif file is dn: uid=test,ou=people,dc=xxx,dc=xx objectClass: posixAccount objectClass: top objectClass: sambaAccount objectClass: inetOrgPerson uid: test cn: test userPassword: {CRYPT}xxxxxxxxx loginShell: /bin/bash sn: test rid: 3000 uidNumber: 900 gidNumber: 1000 homeDirectory: /home/test I am using openldap server 2.3.43-12.el5_7.9.x86_64 What could be the reason? Normally shouldn´t be a problem, or not? Thanks Darko -- Dipl.-Inf. Darko Maršhauzer Hochschule Reutlingen Robert Bosch Zentrum für Leistungselektronik Alteburgstraße 150 72762 Reutlingen Phone: +49 (7121) 271-7080 Email: Darko.Marshauzer(a)Reutlingen-University.de www.reutlingen-university.de www.rbzentrum.de

1 0

Re: OpenLDAP syncrepl woes
by Jeffrey Crawford 22 Nov '11

22 Nov '11

On Thu, Nov 17, 2011 at 11:47 PM, Howard Chu <hyc(a)symas.com> wrote: > Jeffrey Crawford wrote: >> >> On Thu, Nov 17, 2011 at 9:21 PM, Howard Chu<hyc(a)symas.com> wrote: >>> >>> Jeffrey Crawford wrote: >>>> >>>> On Thu, Nov 17, 2011 at 5:50 PM, Howard Chu<hyc(a)symas.com> wrote: >>>>> >>>>> There ought to be other error messages in your log, immediately >>>>> preceding >>> >>>>> the one you quoted. Post those too. >>> >>>> There really isn't much there but here is an example really not much >>>> around it: (I've modified the usernames only) >>>> >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10706 DEL >>>> dn="uid=user1,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10706 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10707 DEL >>>> dn="uid=user2,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10707 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10708 DEL >>>> dn="uid=user3,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10708 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10709 DEL >>>> dn="uid=user4,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: bdb(dc=ucsc,dc=edu): previous >>>> transaction deadlock return not resolved >>>> Nov 17 21:11:55 localhost slapd[1912]: => bdb_idl_delete_key: cursor >>>> failed: Invalid argument (22) >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10709 RESULT >>>> tag=107 err=80 text=entry index delete failed >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10710 DEL >>>> dn="uid=user5,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10710 RESULT >>>> tag=107 err=0 text= >>> >>> Strange. The log shows an error occurring while deleting an index. The >>> error >>> message indicates that there was already a deadlock before, but there's >>> no >>> message from the original deadlock, and the indexing code logs *every* >>> error >>> that occurs. Seems more likely a BDB bug. >>> >>> Also your client is broken, it looks like it completely ignored the >>> failure >>> result from the ldapdelete operation, it just went right on to issue >>> another >>> request. > >> ldapdelete was using the -c option so it just continued I've actually >> was able to replicate the error on a small local installation using >> the default openldap install. When I changed it to BDB 4.8 I've yet to >> see the error. So I'm going to run this a few more times and see if it >> does indeed fix things. >> >> Fingers crossed > > Sounds promising. Looking forward to your conclusion. > > Of course, with back-mdb, none of this type of nonsense can ever happen... > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > Things look pretty good since going to bdb 4.8. However for future reference, what is the best way to force a replica to simply discard what it has and reload from the provider ldaps. So far all I can do is remove the database and restart. However this means any record it has yet to see is not available until the replica get to that record. I would rather re-sync in such a way that it looks at each records and re-updates or deletes if it cant find the original record on the provider server. Starting slapd with the -c option isn't working or I'm using the wrong combination. Thanks Jeffrey

2 1

W.: Newbie: can't connect and enable logging
by cfisi＠arcor.de 22 Nov '11

22 Nov '11

Hi list, I installed OpenLdap on Debian Squeeze. When trying to connect to Openldap jxplorer just says: "Opening connection to ldap://192.168.1.102:389". Nothing more happens. How can I enable logging (in Openldap or jxplorer) and above all how can I connect? Thank you in advance. - Chris

2 2

Using a bitwise filter
by W.Siebert＠t-systems.com 22 Nov '11

22 Nov '11

Hello, I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets. Some attributes on Active Directory objects are composed of bitwise flags. Using a bitwise operator is necessary to return only objects that match a particular bit being set. To query Active Directory for user class objects that are disabled: (UserAccountControl:1.2.840.113556.1.4.803:=2) I'm trying to create a filter that selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled: (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) If I connect AD server directly, all is OK, I get a search result. But sending this search to Meta, does not work. Log: slapd[22461]: conn=1004 op=3 SRCH base="dc=meta,dc=pov" scope=2 deref=2 filter="(&(?objectClass=user)(!(?objectClass=Computer))(?=error))" slapd[22461]: conn=1004 op=3 meta_back_search: base="dc=meta,dc=pov" scope=2: no candidate could be selected slapd[22461]: conn=1004 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= slapd[22461]: conn=1004 op=4 UNBIND My OpenLDAP version: 2.4.26 my config: database meta lastmod off suffix "dc=meta,dc=pov" rootdn "cn=metaguru,dc=meta,dc=pov" rootpw xxxxxxxx uri "ldap://w3kvm.adwal.corporate.net:389/dc=meta,dc=pov" suffixmassage "dc=meta,dc=pov" "dc=adwal,dc=corporate,dc=net" idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net" credentials="xxxxx" mode=none uri "ldap://w3kvm02.adwal.corporate.net:389/dc=meta,dc=pov" suffixmassage "dc=meta,dc=pov" "dc=second,dc=crocus,dc=com" idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="cn=predator,cn=Users,dc=second,dc=crocus,dc=com" credentials="xxxxxxxx" mode=none Where is my mistake ? Can you help me please Kind regards Waldemar

3 2

Rewrite inside a database backend ?
by Mathieu MILLET 22 Nov '11

22 Nov '11

Hello, I was trying to enable rewrite of partial DN inside a database backend context, but I would like to not add a specific context for this rewrite. Slapo-rwm's man says that this overlay is intended for back-ldap and back-meta, but doesn't say it is restricted to these backends. Is this possible ? Let me explain and give some more details of what I would like to do : My context is : "dc=example,dc=local", which is stored inside a back-bdb (or back-hdb). User Objects would be added by client such as : uid=AA0000000,ou=users,dc=example,dc=local But, I would like to store these objects as : uid=AA0000000,ou=AA,ou=users,dc=example,dc=local So my rewriting configuration lines would be like : rwm-rewriteContext addDN rwm-rewriteRule "^uid=(..)([^,]+),ou=users,dc=example,dc=local$" "^uid=$1$2,ou=$1,ou=users,dc=example,dc=local$" ":" I know that the main purpose of adding one level of OU may not be very elegant, but it could be useful in the future for being able to partition the directory. Sincerely yours, Mathieu. -- Mathieu MILLET mailto:ldap@htam.net

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011