We are using PAM to authenticate posixUsers against OpenLDAP. This works
great, and allows 'local' (ssh) logins. However, we also use LDAP for a
number of other services, including remote access and editing via other
software. This means we would like to keep our users passwords as secure
as possible, and enforce encrypted logins for all remote hosts. However,
PAM should still be able to authenticate. The manner of encryption is
not really important, it just has to be strong enough to be useful over
the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in
/etc/ldap/slapd.conf as well as the security tls=1 directive. All of
these attempts broke PAM.
Is what we are trying to do possible with OpenLDAP? If so, could someone
maybe point us to an example configuration?
Thank you for your time,
I set the config value for "directory" to /var/openldap-data in my
slapd.conf. But now I would like to remove my setting and just go with
the default for this (/var/lib/ldap AFAIK). But I can't seem to get rid
of the old value. I have tried removing /etc/openldap/slapd.d/*,
/var/openldap-data and /var/lib/ldap/*.
Whenever I run "slaptest -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d" it complains that /var/openldap-data doesn't
exist. How does it even know about this directory any more?
I'm using OpenLDAP 2.4.23 on RHEL 6.1.
I want to restrict login access to some selected client nodes (by
default, openldap allows user access to all client nodes). I have googled
for this, tried many different configurations like host
attribute,hostObject class etc. but failed to get the required.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister <whm(a)stanford.edu> wrote:
> --On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil <
> jayavant.patil82(a)gmail.com> wrote:
>> I am using openldap-2.4.19-4 on fedora 12 machine. My question is as
>> How to restrict a user access to some client nodes?
>> Please, explain in detail.
> It is not clear what you want to do. You need to provide more details
> before you will get the answer that you want.
> For example, if you just want to restrict access to the directory from
> some nodes, why not use iptables.
> If you are talking about restricting login access to some linux nodes
> using PAM, this is probably a better question for a PAM list. Of course,
> there will be folks on this list that can answer that question as well,
> but not without knowing what you are storing in your directory.
> Bill MacAllister
> Infrastructure Delivery Group, Stanford University
Thanks & Regards,
Jayavant Ningoji Patil
read that already:
my original question was the following:
Granted the above issues might be explained away in that we don't yet
have enough ram on the machines yet, however it does seem to present
us with a problem when we notice the discrepancy, how do we during run
time re-sync the data from the provider server? I have tried the slapd
-c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any
good. (I've tried several different values of csn=0
csn=20111114000000.000000Z#000000#000#000000 etc. to no avail)
from man slapadd
Your slapd(8) should not be running when you do this to ensure consis-
tency of the database.
So how can I have slapd run, respond to what data it has currently yet
understand that it will update all it's data with the source provider
updating, adding, removing entries as necessary without removing the
On Tue, Nov 22, 2011 at 7:01 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, November 22, 2011 5:50 PM -0800 Jeffrey Crawford
> <jeffreyc(a)ucsc.edu> wrote:
>> Starting slapd with the -c option isn't working or I'm using the wrong
> man "slapadd".
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> Zimbra :: the leader in open source messaging and collaboration
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
to enable/disable a user account in openLDAP? I know ppolicy overlay but I
don't require this password based locking.
Thanks in advance.
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
I have a problem with my shares on a open-e storage. I cannot get the sambaSid of the system.
However, the support of open-e advise me to add a test user entry including the objectclass sambaAccount.
As I try this I run into a strage behaviour getting an Invalid syntax error.
adding new entry "uid=test,ou=people,dc=xxx,dc=xx"
ldapadd: Invalid syntax (21)
additional info: objectClass: value #2 invalid per syntax
my test user ldif file is
I am using openldap server 2.3.43-12.el5_7.9.x86_64
What could be the reason?
Normally shouldn´t be a problem, or not?
Dipl.-Inf. Darko Maršhauzer
Robert Bosch Zentrum für Leistungselektronik
Phone: +49 (7121) 271-7080
On Thu, Nov 17, 2011 at 11:47 PM, Howard Chu <hyc(a)symas.com> wrote:
> Jeffrey Crawford wrote:
>> On Thu, Nov 17, 2011 at 9:21 PM, Howard Chu<hyc(a)symas.com> wrote:
>>> Jeffrey Crawford wrote:
>>>> On Thu, Nov 17, 2011 at 5:50 PM, Howard Chu<hyc(a)symas.com> wrote:
>>>>> There ought to be other error messages in your log, immediately
>>>>> the one you quoted. Post those too.
>>>> There really isn't much there but here is an example really not much
>>>> around it: (I've modified the usernames only)
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10706 DEL
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10706 RESULT
>>>> tag=107 err=0 text=
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10707 DEL
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10707 RESULT
>>>> tag=107 err=0 text=
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10708 DEL
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10708 RESULT
>>>> tag=107 err=0 text=
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10709 DEL
>>>> Nov 17 21:11:55 localhost slapd: bdb(dc=ucsc,dc=edu): previous
>>>> transaction deadlock return not resolved
>>>> Nov 17 21:11:55 localhost slapd: => bdb_idl_delete_key: cursor
>>>> failed: Invalid argument (22)
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10709 RESULT
>>>> tag=107 err=80 text=entry index delete failed
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10710 DEL
>>>> Nov 17 21:11:55 localhost slapd: conn=1478 op=10710 RESULT
>>>> tag=107 err=0 text=
>>> Strange. The log shows an error occurring while deleting an index. The
>>> message indicates that there was already a deadlock before, but there's
>>> message from the original deadlock, and the indexing code logs *every*
>>> that occurs. Seems more likely a BDB bug.
>>> Also your client is broken, it looks like it completely ignored the
>>> result from the ldapdelete operation, it just went right on to issue
>> ldapdelete was using the -c option so it just continued I've actually
>> was able to replicate the error on a small local installation using
>> the default openldap install. When I changed it to BDB 4.8 I've yet to
>> see the error. So I'm going to run this a few more times and see if it
>> does indeed fix things.
>> Fingers crossed
> Sounds promising. Looking forward to your conclusion.
> Of course, with back-mdb, none of this type of nonsense can ever happen...
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
Things look pretty good since going to bdb 4.8. However for future
reference, what is the best way to force a replica to simply discard
what it has and reload from the provider ldaps. So far all I can do is
remove the database and restart. However this means any record it has
yet to see is not available until the replica get to that record. I
would rather re-sync in such a way that it looks at each records and
re-updates or deletes if it cant find the original record on the
Starting slapd with the -c option isn't working or I'm using the wrong
I installed OpenLdap on Debian Squeeze. When trying to connect to Openldap jxplorer just says: "Opening connection to ldap://192.168.1.102:389". Nothing more happens.
How can I enable logging (in Openldap or jxplorer) and above all how can I connect?
Thank you in advance.
I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets.
Some attributes on Active Directory objects are composed of bitwise flags. Using a bitwise operator is necessary to return only objects that match a particular bit being set.
To query Active Directory for user class objects that are disabled: (UserAccountControl:1.2.840.113518.104.22.1683:=2)
I'm trying to create a filter that selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled:
If I connect AD server directly, all is OK, I get a search result. But sending this search to Meta, does not work.
slapd: conn=1004 op=3 SRCH base="dc=meta,dc=pov" scope=2 deref=2 filter="(&(?objectClass=user)(!(?objectClass=Computer))(?=error))"
slapd: conn=1004 op=3 meta_back_search: base="dc=meta,dc=pov" scope=2: no candidate could be selected
slapd: conn=1004 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd: conn=1004 op=4 UNBIND
My OpenLDAP version: 2.4.26
suffixmassage "dc=meta,dc=pov" "dc=adwal,dc=corporate,dc=net"
suffixmassage "dc=meta,dc=pov" "dc=second,dc=crocus,dc=com"
Where is my mistake ? Can you help me please
I was trying to enable rewrite of partial DN inside a database backend
context, but I would like to not add a specific context for this
Slapo-rwm's man says that this overlay is intended for back-ldap and
back-meta, but doesn't say it is restricted to these backends.
Is this possible ?
Let me explain and give some more details of what I would like to do :
My context is : "dc=example,dc=local", which is stored inside a
back-bdb (or back-hdb).
User Objects would be added by client such as :
But, I would like to store these objects as :
So my rewriting configuration lines would be like :
I know that the main purpose of adding one level of OU may not be very
elegant, but it could be useful in the future for being able to
partition the directory.
Sincerely yours, Mathieu.