openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

proxy authentication
by LALOT Dominique 22 Nov '11

22 Nov '11

I am coming back on a thread as there was no answer master or replica (managed by a central team) /\ | (proxied bind) partial replica (no userpassword) (managed by another team) /\ | simple bind Is there a simple way to do that (no kerberos/sasl)? The bind on the partial replica is proxied to another server. Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

2 1

Limiting host access
by Juergen.Sprenger＠swisscom.com 22 Nov '11

22 Nov '11

Hi, You might want to check out nisNetgroup functionality. 1. add rfc2307bis to Your nis.schema: #attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' # DESC 'Netgroup triple' # SYNTAX 1.3.6.1.1.1.0.0 ) # rfc2307bis attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 2. add nis-netgroups to Your directory: dn: cn=myhostname,ou=Netgroup,dc=example,dc=com objectClass: top objectClass: nisNetgroup description: users allowed to log in to myhostname cn: myhostname nisNetgroupTriple: (,user1,) nisNetgroupTriple: (,user2,) ... 3. add compat-mode to nsswitch.conf: passwd: compat passwd_compat: ldap group: compat group_compat: ldap 4. add netgroup-entries to /etc/passwd and /etc/shadow: Last line of /etc/passwd: +@ myhostname:x::::: Last line of /etc/shadow: +@ myhostname:NP::::::: Now only local users and users listed in dn: cn=myhostname,ou=Netgroup,dc=example,dc=com can log in to the machine. For easy administration You can group together users in netgroups and allow those as memberNisNetgroup: dn: cn=myhostname,ou=Netgroup,dc=example,dc=com objectClass: top objectClass: nisNetgroup description: users allowed to log in to myhostname cn: myhostname memberNisNetgroup: rhdmin memberNisNetgroup: mysqldba ... Regards Juergen Sprenger

1 0

Re: OpenLDAP syncrepl woes
by Jeffrey Crawford 21 Nov '11

21 Nov '11

Okay using bdb 4.8 seems to be working better, I ran through several mass adds and deletes. I stil get periodic failures of: Nov 21 10:32:27 idm-prod-ldap-2 slapd[41275]: conn=-1 op=0: attribute "reqEnd" index delete failure which is obviously part of the acceslog overlay. I am replicating that DB between the Mirror mode masters so there may be some other issues at play here. I'm attempting to make sure that the accesslog is in sync between them so that if a failover occurs we only need to look at the current active ldap server to see the changes made. On Mon, Nov 21, 2011 at 10:05 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, November 16, 2011 3:49 PM -0800 Jeffrey Crawford > <jeffreyc(a)ucsc.edu> wrote: > >>>> Oh and we are using bdb 4.6 right now (forgot to answer that) > > With all the patches? Oracle lists 4. > > 4.6.21 > Requires log file format upgrade. change log - patches ( 4) good question it's the default FreeBSD build would hope they have included them but I'm not the sysadmin on the box itself. in any case using 4.8 seems to be working (I think) > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

OpenLDAP syncrepl woes
by Jeffrey Crawford 21 Nov '11

21 Nov '11

I'm trying to stabilize our openldap server farm before going live and am finding that despite the contextCSN matching between providers and replicas, the actual content of the server is getting out of sync. This is most prominent when we are testing our population routine and we need to remove all accounts before starting. right now it's only about 22000 entries (It will get much larger). During the mass delete we got the following sprinkled throughout the logs on all machines: ==== Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: bdb(dc=domain,dc=name): previous transaction deadlock return not resolved Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: => bdb_idl_delete_key: cursor failed: Invalid argument (22) and the various replicas would still have accounts left over but they wouldn't match each other. Granted the above issues might be explained away in that we don't yet have enough ram on the machines yet, however it does seem to present us with a problem when we notice the discrepancy, how do we during run time re-sync the data from the provider server? I have tried the slapd -c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any good. (I've tried several different values of csn=0 csn=20111114000000.000000Z#000000#000#000000 etc. to no avail) I guess my question is two fold, how do I really verify replication is working properly and is in sync, and how to I force a replica to just take the current content from a provider without question. (I don't really want to remove the database and have it re-sync, rather have it go through and check the content and update as needed). Thanks Jeffrey Crawford

3 11

slapo-rwm and NAME aliases
by Michael Ströder 21 Nov '11

21 Nov '11

HI! Some address book LDAP clients are stupid and cannot be re-configured which LDAP attributes contain the specific address information. In particular I'm struggling with Outlook's LDAP address book which expects 'streetAddress' instead of 'street'. I'm using slapo-rwm for mapping other attributes. That works. But rwm-map attribute streetAddress street does not return streetAddress in the search result probably because 'streetAddress' and 'street' gets normalized to the same attribute type description. What to do in such a case? It' part of the standard schema shipped with OpenLDAP and I don't want to mess up this. Ciao, Michael.

1 0

LDAP query to Active Directory backend
by Khaled Blah 21 Nov '11

21 Nov '11

Hello to all, I've been witnessing a strange thing when (LDAP-) querying an Active Directory backend (Windows Server 2003): the output data I receive seems to be encoded in the ISO8859 character set when I would expect it to be UTF-8. Has anyone else experienced anything like this? I'd be glad to learn how to make sure the AD backend gives UTF-8 data back. I use OpenLDAP 2.4.23 on Ubuntu 10.04 and 11.04 Regards, Khaled

2 1

OpenLDAP SASL Passthrough
by Raffael Sahli 21 Nov '11

21 Nov '11

Hi, I'm so confused with the sasl passthrough implementation. I set for the user test in my ldap tree the password {SASL}test@MY_REALM Keytab: [test@ldap-master001 /]#--> ls /etc/krb5.keytab -l -rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab SASL GSSAPI Auth: works well [test@ldap-master001 /]#--> ldapwhoami SASL/GSSAPI authentication started SASL username: test@MY_REALM SASL SSF: 56 SASL data security layer installed. dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth SASL SLAPD Config: [root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab testsaslauthd works well: [root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap 0: OK "Success." sasl debug log: saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] saslauthd[26077] :do_request : response: OK But the ldapsearch simplebind command takes 7-10s... [test@ldap-master001 /]#--> ldapsearch -D uid=test,ou=users,dc=my,dc=company -w MYPASSWORD -s base -b '' -x ldap_bind: Invalid credentials (49) And the sasl debug log shows: saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error] WTF, why works testsaslauthd well but failed with ldap auth? The kerberos server works well in both commands..... root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $ root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd root@ldap-master001:/usr/local/etc/openldap# saslauthd -v saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by saslauthd) saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by saslauthd) saslauthd 2.1.23 authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap Thank you

3 6

Limiting host access
by Jayavant Patil 21 Nov '11

21 Nov '11

Hi, I am using openldap-2.4.19-4 on fedora 12 machine. My question is as follows: How to restrict a user access to some client nodes? Please, explain in detail. -- Thanks & Regards, Jayavant Ningoji Patil +91 9923536030.

2 1

Newbie: can't connect and enable logging
by cfisi＠arcor.de 20 Nov '11

20 Nov '11

Hi list, I installed OpenLdap on Debian Squeeze. When trying to connect to Openldap jxplorer just says: "Opening connection to ldap://192.168.1.102:389". Nothing more happens. How can I enable logging (in Openldap or jxplorer) and above all how can I connect? Thank you in advance. - Chris

3 4

Re: How to configure Unique Overlay in cn=config
by Igor Blanco 19 Nov '11

19 Nov '11

Thanks Quanah: I'm using Debian Stable's repository and would prefer to stay in sync with the repo to ease the maintenance process. AFAIK Debian usually applies critical patches in its own packaging version so maybe some of those issues are already addressed. My exact version is 2.4.23-7.2, which I think that means that is version 7.2 of Debian package or something like this. I'll take some time and check it just in case there is something really nasty that I should be aware of, thank you very much. Going back to unique overlay. I finally managed to configure it, as you say I just added a new module entry but I wasn't seeing the corresponding configuration objectclasses needed. After restarting slapd they appeared. Thank you very much. 2011/11/9 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Monday, November 07, 2011 7:05 PM +0100 Igor Blanco < > iblanco(a)binovo.es> wrote: > > Hello everyone, >> >> >> I'm trying to configure the uniqueness overlay in Debian Squeeze >> (OpenLDAP 2.4.23) using "cn=config" but I can't figure how to do it and >> can't find any good doc about it, the FAQ-O-Matic wasn't very helpful >> this time. >> >> >> I've added a new "olcModuleLoad=unique" attribute in >> "cn=module{0},cn=config" and it hasn't complained, but how and where do I >> set "olcUniqueURI" ? in "olcDatabase={1}hdb,cn=config" ? This attribute >> does not seem to be present in my OpenLDAP installation, do I have to add >> any new schema? >> >> >> Any reference to documentation explaining how to configure "unique" >> overlay within "cn=config" would be much appreciated. A dump of a >> "cn=config" branch correctly configured would be fantastic. >> > > First, I would seriously advise you to upgrade to 2.4.26. 2.4.23 has > numerous, serious issues. You may also want to grab the patch for ITS#7030 > from the git repo (<http://www.openldap.org/**devel/gitweb.cgi?p=openldap. > **git;a=commitdiff;h=**eae46d35d252f5e7cfd623984f0896**e951d507c9<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=eae4…> > >) > > As for adding unique, it's pretty trivial. I have a perl script that does > it using Net::LDAP, but you can trivially change this for ldapadd: > > my $ldap = Net::LDAP->new('ldapi://%**2fopt%2fzimbra%2fopenldap%**2fvar%2frun%2fldapi/') > or die "$@"; > my $mesg = $ldap->bind("cn=config", password=>"$ldap_root_**password"); > $mesg->code && die "Bind: ". $mesg->error . "\n"; > my $dn="cn=module{0},cn=config"; > $mesg = $ldap->modify( > $dn, > add =>{olcModuleLoad => 'unique.la'}, > ); > my $bdn="olcDatabase={2}hdb,cn=**config"; > $mesg = $ldap ->search( > base=>"$bdn", > filter=>"(objectClass=**olcUniqueConfig)", > scope=>"sub", > attrs => ['1.1'], > ); > > my $size = $mesg->count; > if ($size == 0) { > $dn="olcOverlay=unique,$bdn"; > $mesg = $ldap->add( "$dn", > attr => [ > 'olcUniqueURI' => 'ldap:///?mail?sub', > 'objectclass' => ['olcOverlayConfig', > 'olcUniqueConfig', ], > ] > ); > $mesg->code && warn "failed to add entry: ", $mesg->error ; > } > $ldap->unbind; > > > > The basic idea is you add a new entry, olcOverlay=unique,<base database > DN> with the objectClasses and the unique URI. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Igor Blanco González Binovo IT Human Project e-mail: iblanco(a)binovo.es Telf. : 943 493611 - 690229375 Dirección: Astigarraga Bidea 2 Planta 6. - Ofi. 3-2 20180 Oiartzun ( Gipuzkoa )

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011