proxy authentication
by LALOT Dominique
I am coming back on a thread as there was no answer
master or
replica (managed by a central team)
/\
| (proxied
bind)
partial replica (no userpassword) (managed by another
team)
/\
|
simple bind
Is there a simple way to do that (no kerberos/sasl)? The bind on the
partial replica is proxied to another server.
Thanks
Dom
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
9 years, 4 months
Limiting host access
by Juergen.Sprenger@swisscom.com
Hi,
You might want to check out nisNetgroup functionality.
1. add rfc2307bis to Your nis.schema:
#attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
# DESC 'Netgroup triple'
# SYNTAX 1.3.6.1.1.1.0.0 )
# rfc2307bis
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2. add nis-netgroups to Your directory:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
nisNetgroupTriple: (,user1,)
nisNetgroupTriple: (,user2,)
...
3. add compat-mode to nsswitch.conf:
passwd: compat
passwd_compat: ldap
group: compat
group_compat: ldap
4. add netgroup-entries to /etc/passwd and /etc/shadow:
Last line of /etc/passwd:
+@ myhostname:x:::::
Last line of /etc/shadow:
+@ myhostname:NP:::::::
Now only local users and users listed in
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
can log in to the machine.
For easy administration You can group together users
in netgroups and allow those as memberNisNetgroup:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
memberNisNetgroup: rhdmin
memberNisNetgroup: mysqldba
...
Regards
Juergen Sprenger
9 years, 4 months
Re: OpenLDAP syncrepl woes
by Jeffrey Crawford
Okay using bdb 4.8 seems to be working better, I ran through several
mass adds and deletes. I stil get periodic failures of:
Nov 21 10:32:27 idm-prod-ldap-2 slapd[41275]: conn=-1 op=0: attribute
"reqEnd" index delete failure
which is obviously part of the acceslog overlay. I am replicating that
DB between the Mirror mode masters so there may be some other issues
at play here. I'm attempting to make sure that the accesslog is in
sync between them so that if a failover occurs we only need to look at
the current active ldap server to see the changes made.
On Mon, Nov 21, 2011 at 10:05 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, November 16, 2011 3:49 PM -0800 Jeffrey Crawford
> <jeffreyc(a)ucsc.edu> wrote:
>
>>>> Oh and we are using bdb 4.6 right now (forgot to answer that)
>
> With all the patches? Oracle lists 4.
>
> 4.6.21
> Requires log file format upgrade. change log - patches ( 4)
good question it's the default FreeBSD build would hope they have
included them but I'm not the sysadmin on the box itself. in any case
using 4.8 seems to be working (I think)
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
9 years, 4 months
OpenLDAP syncrepl woes
by Jeffrey Crawford
I'm trying to stabilize our openldap server farm before going live and
am finding that despite the contextCSN matching between providers and
replicas, the actual content of the server is getting out of sync.
This is most prominent when we are testing our population routine and
we need to remove all accounts before starting. right now it's only
about 22000 entries (It will get much larger).
During the mass delete we got the following sprinkled throughout the
logs on all machines:
====
Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: bdb(dc=domain,dc=name):
previous transaction deadlock return not resolved
Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: => bdb_idl_delete_key:
cursor failed: Invalid argument (22)
and the various replicas would still have accounts left over but they
wouldn't match each other.
Granted the above issues might be explained away in that we don't yet
have enough ram on the machines yet, however it does seem to present
us with a problem when we notice the discrepancy, how do we during run
time re-sync the data from the provider server? I have tried the slapd
-c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any
good. (I've tried several different values of csn=0
csn=20111114000000.000000Z#000000#000#000000 etc. to no avail)
I guess my question is two fold, how do I really verify replication is
working properly and is in sync, and how to I force a replica to just
take the current content from a provider without question. (I don't
really want to remove the database and have it re-sync, rather have it
go through and check the content and update as needed).
Thanks
Jeffrey Crawford
9 years, 4 months
slapo-rwm and NAME aliases
by Michael Ströder
HI!
Some address book LDAP clients are stupid and cannot be re-configured which
LDAP attributes contain the specific address information. In particular I'm
struggling with Outlook's LDAP address book which expects 'streetAddress'
instead of 'street'.
I'm using slapo-rwm for mapping other attributes. That works.
But
rwm-map attribute streetAddress street
does not return streetAddress in the search result probably because
'streetAddress' and 'street' gets normalized to the same attribute type
description.
What to do in such a case? It' part of the standard schema shipped with
OpenLDAP and I don't want to mess up this.
Ciao, Michael.
9 years, 4 months
LDAP query to Active Directory backend
by Khaled Blah
Hello to all,
I've been witnessing a strange thing when (LDAP-) querying an Active
Directory backend (Windows Server 2003): the output data I receive
seems to be encoded in the ISO8859 character set when I would expect
it to be UTF-8. Has anyone else experienced anything like this? I'd be
glad to learn how to make sure the AD backend gives UTF-8 data back.
I use OpenLDAP 2.4.23 on Ubuntu 10.04 and 11.04
Regards,
Khaled
9 years, 4 months
OpenLDAP SASL Passthrough
by Raffael Sahli
Hi,
I'm so confused with the sasl passthrough implementation.
I set for the user test in my ldap tree the password {SASL}test@MY_REALM
Keytab:
[test@ldap-master001 /]#--> ls /etc/krb5.keytab -l
-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab
SASL GSSAPI Auth: works well
[test@ldap-master001 /]#--> ldapwhoami
SASL/GSSAPI authentication started
SASL username: test@MY_REALM
SASL SSF: 56
SASL data security layer installed.
dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth
SASL SLAPD Config:
[root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab
testsaslauthd works well:
[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
0: OK "Success."
sasl debug log:
saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap]
[realm=MY_REALM] [mech=kerberos5]
saslauthd[26077] :do_request : response: OK
But the ldapsearch simplebind command takes 7-10s...
[test@ldap-master001 /]#--> ldapsearch -D
uid=test,ou=users,dc=my,dc=company -w MYPASSWORD
-s base -b ''
-x
ldap_bind: Invalid credentials (49)
And the sasl debug log shows:
saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap]
[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
WTF, why works testsaslauthd well but failed with ldap auth?
The kerberos server works well in both commands.....
root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $
root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd
root@ldap-master001:/usr/local/etc/openldap# saslauthd -v
saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by saslauthd)
saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by saslauthd)
saslauthd 2.1.23
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
Thank you
9 years, 4 months
Limiting host access
by Jayavant Patil
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as
follows:
How to restrict a user access to some client nodes?
Please, explain in detail.
--
Thanks & Regards,
Jayavant Ningoji Patil
+91 9923536030.
9 years, 4 months
Newbie: can't connect and enable logging
by cfisi@arcor.de
Hi list,
I installed OpenLdap on Debian Squeeze. When trying to connect to Openldap jxplorer just says: "Opening connection to ldap://192.168.1.102:389". Nothing more happens.
How can I enable logging (in Openldap or jxplorer) and above all how can I connect?
Thank you in advance.
- Chris
9 years, 4 months
Re: How to configure Unique Overlay in cn=config
by Igor Blanco
Thanks Quanah:
I'm using Debian Stable's repository and would prefer to stay in sync with
the repo to ease the maintenance process.
AFAIK Debian usually applies critical patches in its own packaging version
so maybe some of those issues are already addressed. My exact version
is 2.4.23-7.2, which I think that means that is version 7.2 of Debian
package or something like this. I'll take some time and check it just in
case there is something really nasty that I should be aware of, thank you
very much.
Going back to unique overlay. I finally managed to configure it, as you say
I just added a new module entry but I wasn't seeing the corresponding
configuration objectclasses needed. After restarting slapd they appeared.
Thank you very much.
2011/11/9 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Monday, November 07, 2011 7:05 PM +0100 Igor Blanco <
> iblanco(a)binovo.es> wrote:
>
> Hello everyone,
>>
>>
>> I'm trying to configure the uniqueness overlay in Debian Squeeze
>> (OpenLDAP 2.4.23) using "cn=config" but I can't figure how to do it and
>> can't find any good doc about it, the FAQ-O-Matic wasn't very helpful
>> this time.
>>
>>
>> I've added a new "olcModuleLoad=unique" attribute in
>> "cn=module{0},cn=config" and it hasn't complained, but how and where do I
>> set "olcUniqueURI" ? in "olcDatabase={1}hdb,cn=config" ? This attribute
>> does not seem to be present in my OpenLDAP installation, do I have to add
>> any new schema?
>>
>>
>> Any reference to documentation explaining how to configure "unique"
>> overlay within "cn=config" would be much appreciated. A dump of a
>> "cn=config" branch correctly configured would be fantastic.
>>
>
> First, I would seriously advise you to upgrade to 2.4.26. 2.4.23 has
> numerous, serious issues. You may also want to grab the patch for ITS#7030
> from the git repo (<http://www.openldap.org/**devel/gitweb.cgi?p=openldap.
> **git;a=commitdiff;h=**eae46d35d252f5e7cfd623984f0896**e951d507c9<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=ea...>
> >)
>
> As for adding unique, it's pretty trivial. I have a perl script that does
> it using Net::LDAP, but you can trivially change this for ldapadd:
>
> my $ldap = Net::LDAP->new('ldapi://%**2fopt%2fzimbra%2fopenldap%**2fvar%2frun%2fldapi/')
> or die "$@";
> my $mesg = $ldap->bind("cn=config", password=>"$ldap_root_**password");
> $mesg->code && die "Bind: ". $mesg->error . "\n";
> my $dn="cn=module{0},cn=config";
> $mesg = $ldap->modify(
> $dn,
> add =>{olcModuleLoad => 'unique.la'},
> );
> my $bdn="olcDatabase={2}hdb,cn=**config";
> $mesg = $ldap ->search(
> base=>"$bdn",
> filter=>"(objectClass=**olcUniqueConfig)",
> scope=>"sub",
> attrs => ['1.1'],
> );
>
> my $size = $mesg->count;
> if ($size == 0) {
> $dn="olcOverlay=unique,$bdn";
> $mesg = $ldap->add( "$dn",
> attr => [
> 'olcUniqueURI' => 'ldap:///?mail?sub',
> 'objectclass' => ['olcOverlayConfig',
> 'olcUniqueConfig', ],
> ]
> );
> $mesg->code && warn "failed to add entry: ", $mesg->error ;
> }
> $ldap->unbind;
>
>
>
> The basic idea is you add a new entry, olcOverlay=unique,<base database
> DN> with the objectClasses and the unique URI.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
Igor Blanco González
Binovo IT Human Project
e-mail: iblanco(a)binovo.es
Telf. : 943 493611 - 690229375
Dirección:
Astigarraga Bidea 2
Planta 6. - Ofi. 3-2
20180 Oiartzun ( Gipuzkoa )
9 years, 4 months