openldap-technical February 2011

openldap-technical@openldap.org

96 participants
102 discussions

remote credentials for local branch with authz-regexp
by Hugo Monteiro 23 Feb '11

23 Feb '11

Hello list, I'm using translucent in a local server. That same server also has an extra local database, which is a local only branch of the remote database. This database is a subordinate and they glue together well. Now, for the sake of management, i need to be able to identify to the local database (rootdn) but using credentials from the remote database. Assuming one has translucent to remote - dc=example,dc=com with remote admin user cn=admin,dc=example,dc=com local - ou=localbranch,dc=example,dc=com with rootdn admin user cn=admin,ou=localbranch,dc=example,dc=com I tried the follwing on the local server database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,ou=localbranch,dc=example,dc=com" rootpw "secret" directory "/var/lib/ldap/ou=localbranch,dc=example,dc=com" index objectClass,sambaSID eq lastmod on authz-regexp "cn=admin,dc=example,dc=com" "cn=admin,ou=localbranch,dc=example,dc=com" access to dn.base="ou=localbranch,dc=example,dc=com" by * read access to * by dn="cn=admin,ou=localbranch,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write by * read subordinate The credentials used to connect to the remote server have full read only access to the remote database. So the problem is that when i try to authenticate using cn=admin,dc=example,dc=com, to the local database branch, i can see the bind request being transluced to the remote server without using the authz-regexp map. Any advice is appreciated, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

2 2

How can I check ldap is working well?
by Olivier PAVILLA 23 Feb '11

23 Feb '11

After upgrading my server (Lenny to Squeeze). Something happened. /var/lib/ldap was empty. Thanku very debian installer :) I made a new /var/lib/ldap/DB_CONFIG I restarted ldap with something like this /etc/init.d/slapd start I looked my syslog tail -f /var/log/syslog and it contents that : Feb 23 13:46:13 unverre slapd[4660]: slap_client_connect: URI=ldaps://coruscan2.dumpsize.fr:636 DN="cn=replicapalpatine,ou=useraccess,dc=dumpsize,dc=fr" ldap_sasl_bind_s failed (-1) Feb 23 13:46:13 unverre slapd[4660]: do_syncrepl: rid=008 rc -1 retrying Feb 23 13:56:13 unverre slapd[4660]: syncrepl_message_to_entry: rid=008 mods check (objectClass: value #4 invalid per syntax) Feb 23 13:56:13 unverre slapd[4660]: do_syncrepl: rid=008 rc 21 retrying Feb 23 14:06:13 unverre slapd[4660]: syncrepl_message_to_entry: rid=008 mods check (objectClass: value #4 invalid per syntax) Feb 23 14:06:14 unverre slapd[4660]: do_syncrepl: rid=008 rc 21 retrying Anyone can translate this to me? How can I check my ldap server is working well? -- Olivier Pavilla << 仕事を探しています。求職中です。>> S.C.I.R.C. Orléans (Bourgogne) - I.U.F.M. Centre-Val de Loire 72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1 Tel : 02-38-49-26-20 , mailto:olivier.pavilla@univ-ørleans.fr http://blog.linux-squad.com - 僕の傑作です。

1 0

authzTo now X-ORDERED?
by Michael Ströder 23 Feb '11

23 Feb '11

HI! I'm trying to configure proxy authz with 2.4.24 without luck testing with ldapwhoami -X. Now I wonder if attribute 'authzTo' is now handled as X-ORDERED [1]. Unfortunately the subschema subentry does not contain a attribute type description for 'authzTo'. The server adds prefix "{0}" to my authzTo attribute value. Ciao, Michael. [1] http://tools.ietf.org/html/draft-chu-ldap-xordered-00

1 1

Re: openldap problems authenticating
by Tim Dunphy 22 Feb '11

22 Feb '11

Hey guys I took Quanah's advice and put the clear text password into /etc/lapd.conf on the client. I also noticed that the user account it was looking for was of a posixAccount class. And I was missing the nis.shema. So I added nis.schema to slapd.conf and restarted slapd and I was seeing the same pattern. ldapsearches on the client were working just as they were before and getents on the client were not. But I was seeing a new error in the logs at this point: Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SRCH base="ou=staff,dc=summitnjhome,dc=com" scope=2 deref=0 filter="(objectClass=posixAccount)" Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on 1 descriptor Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on: Feb 23 01:16:45 LBSD2 slapd[52517]: 12r Feb 23 01:16:45 LBSD2 slapd[52517]: Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: read activity on 12 Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 23 01:16:45 LBSD2 slapd[52517]: connection_read(12): input error=-2 id=1471, closing. Feb 23 01:16:45 LBSD2 slapd[52517]: connection_closing: readying conn=1471 sd=12 for close Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on 1 descriptor Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: waked Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: removing 12 Which from what I've googled means basically "object not found". Now just to clarify a point of possible confusion... my user accounts are unix posixAccounts that were migrated using the padl tools. Here's what one of the user accounts looks like: 43 uid=bluethundr,cn=summitnjops,ou=staff,ou=Group,dc=summitnjhome,dc=com uid: bluethundr cn: Timothy P. Dunphy givenName: Timothy P. sn: Dunphy mail: bluethundr(a)gmail.com mailRoutingAddress: bluethundr(a)mail.summitnjhome.com mailHost: mail.summitnjhome.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: posixAccount objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: ldapPublicKey uidNumber: 1001 gidNumber: 10000 homeDirectory: /home/bluethundr gecos: Timothy Dunphy loginShell: /bin/bash sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ0zYn6FhQ1lKnvQ1K1GbXh8hdsXlXnnUYjLcNUqv7uMjjy0xDv03bnPU0Iyl1HcQcVFYPgcjB7mo3FZjZHd9bsHRwnY688FjPv/xE78+B M8aDTuzb6czVA1X9ztc6Y6eNGYy1U4b3dseVFS+L2APkjaV5/RYPRH4mxJ8aNnrf+APaZvjtwPPEnxZST58QYdwtBvalLbgpDRTmGHrSEP2bJvUSR+iS3zC9xp90R0hFSVjd6jauXcxhkFLyG0nnmjc5sS5271 uxsXTfVFC1bHBasXL5ITFS63SpZErDWIVNwfVoR2tentddD6qJFd5ewTojRFDua3iqU4EJUl80RjmF bluethundr(a)LCENT01.summitnjhome.com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlhRvFkT6wUAR3jw2h2Z0KV2/WsHPFkuXBD1BgzOQfR+PFhZDnt/zp44cLGwxa55RKEtFC+n/sjgmj99hKbn+0pPlGUGDuGqmWtMG45s+S oDm9pRd8uzFccNYDLQ3POhfD2EbOarR45m7X42r821YO3ZeWnn3E1rCHarXrHXFX13sp9Jh8htNlWBCEjvs37S8VC9v5XW95BY8rhqrDGJrobmzDplUlHjgYjyBWx/BQxxgvmqQfKyS8i26+IelHcqRT5cgCSU bFlPR3ouVu8eAgIE6gwKTuElIaTwJQ4QjBlaGaohEQRei0FWsfb7EzH1ikE34gJTdoaSnozU9MWc+f tim@dunphy userPassword: {CRYPT}crHJs4YTxefJE I am trying to search the directory using the pam_ldap account which is an inetOrgPerson account and looks like this: 3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com cn: pam_ldap objectClass: top objectClass: inetOrgPerson sn: PAM userPassword: {SSHA}Cbk8VNyWQsXNmqt6n9GYDRcR0cnuA2sJ This command does find the bluethundr account: ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=bluethundr)' (currently I'm not using TLS until I get this mess sorted out) And I am using this /etc/ldap.conf on the client which as I've mentioned is centos 5.5 host 192.168.1.44 base ou=staff,ou=Group,dc=summitnjhome,dc=com sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com I am definitely looking forward to an end to this vexing situation. But once again let me state that I genuinely appreciate any time and input you may be able to provide. On Tue, Feb 22, 2011 at 6:02 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, February 22, 2011 5:52 PM -0500 Tim Dunphy > <bluethundr(a)gmail.com> wrote: > >> Hello list, >> >> I am running an openldap 2.4 server under FreeBSD that was working >> well until the config was tweaked by someone on the team without >> properly documenting their work > >> bindpw {crypt}secret > > A few things: > > a) Crypt is non-portable > b) That doesn't look like a valid crypt'd password > c) You're going to need to set a plain text password to bind, regardless > > Try just changing "bindpw" to be "secret" and see what happens. If you want > better security, use SASL/EXTERNAL or SASL/GSSAPI etc. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

2 1

openldap problems authenticating
by Tim Dunphy 22 Feb '11

22 Feb '11

Hello list, I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work # /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1) host LBSD.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {SSHA}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com # grep for ldap account shows ldap account on the ldap server itself succeeds [root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash [root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd [root@LBSD2:/usr/local/etc/openldap] # # /etc/ldap.conf on ldap client (centos 5.5) host LBSD2.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {crypt}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com # grep getent passwd for ldap account on the client nothing turns up after a long pause [root@LCENT01:~] #getent passwd | grep walbs [root@LCENT01:~] # # nsswitch on the client passwd: files ldap shadow: files ldap group: files ldap sudoers: ldap #hosts: db files nisplus nis dns hosts: files dns # this is what's going on in the logs on the ldap server during th getent from the #client Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from IP=192.168.1.42:53811 (IP=192.168.1.44:389) Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128 Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed #ldap search from the client as the pam services account is able to locate the ldap user info [root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap ,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=walbs)' # extended LDIF # # LDAPv3 # base <dc=summitnjhome,dc=com> with scope subtree # filter: (uid=walbs) # requesting: ALL # # walbs, People, summitnjhome.com dn: uid=walbs,ou=People,dc=summitnjhome,dc=com uid: walbs cn: Walkiria Soares givenName: Walkiria sn: Soares mail: walbs(a)example.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1002 gidNumber: 1003 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 #pam_ldap services account in the ldap directory 3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com cn: pam_ldap objectClass: top objectClass: inetOrgPerson sn: PAM userPassword: {SSHA}secret I have also tried doing anonymous binds on the client as well as using plain text passwords. I get the same tag=97 err=49 messages on the client either way. This is the ldap software I have on the FreeBSD server: LBSD2# pkg_info | grep -i ldap ldapvi-1.7_2 A tool to update LDAP entries with a text editor openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP And this is what I am using on the Centos 5.5 client: [root@LCENT01:~] #rpm -qa | grep -i ldap python-ldap-2.2.0-2.1 openldap-2.3.43-12.el5_5.3 nss_ldap-253-25.el5 ldapvi-1.7-10.el5 php-ldap-5.1.6-27.el5 openldap-clients-2.3.43-12.el5_5.3 openldap-2.3.43-12.el5_5.3 nss_ldap-253-25.el5 Some advice is sorely needed here. Thank you very kindly in advance! -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

2 1

I've broken my installation
by Stuart Bailey 22 Feb '11

22 Feb '11

Hello, I had a working openldap installation that I was developing some PHP to manage. I'm using the ldap_bind PHP call without username & password, so it is an anonymous bond. I decided to have a clean install to verify everything was ok, so copied my ldap config files, and reinstall on a clean system. the problem is that now the anonymous bind will not work. I turned on all debugging, and found the entry: ... do_bind: v3 anonymous bind in the log. I'm guessing this means that anonymous bind is enabled, but still my PHP code will not bind. I'm not sure where to start to look for the problem. Could someone please point me in the right direction. I can supply logs and configs once I know where to look and what to send. Many thanks, Stuart -- Stuart Bailey BSc (hons) CEng CITP MBCS LinuSoft (Managing Director) Linux Specialist & Software Developer ~~~~~~~~~~~~~~~~~~~~~~~ Phone: (0845) 658 3563 Direct: +44 (0)1953 878162 Fax: +44 (0) 1603 858583 ~~~~~~~~~~~~~~~~~~~~~~~ http://www.linusoft.co.uk http://www.bluetoothadvertising.org.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

2 1

merging local and remote attributes
by Hugo Monteiro 22 Feb '11

22 Feb '11

Hello list, I have been trying to use translucent overlay to merge attributes between a remote and a local server (both 2.4.23). From the slapo-translucent man page i read: "Attributes may be specified as both local and remote if desired." and "In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client." The thing is that if i specify an attribute (objectclass) to be both local and remote, i can only get/search for the local entries. Choosing either separately will work as advertised though. Again, i ask if this is a bug, a subtlety i have missed or this is not supposed to work with objectClass attribute? Please advise, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

2 3

Ipad/iPhone ldap setup
by Chris Jackson 21 Feb '11

21 Feb '11

I am having trouble accessing my openldap server over SSL using an iPhone/iPad/iPod Touch using ios 4.2.1. If I check the SSL box in the client setup on the iPhone/iPad/iPod Touch I get an error in the slapd log -- TLS negotiation Failure. With logging level 9 I get TLS accept failure error=-1 id=1. Other clients work fine over SSL/StartTLS. Outlook, addressbook in osX 10.6, jxplorer. I am using openldap 2.4.19-15 on RHEL6 with a comodo wildcard SSL cert. Chris Jackson

2 1

Re: BDB performance issue
by amolkulkarni＠gmx.com 21 Feb '11

21 Feb '11

Hi, I was not certain abt what info to put so I've given below all the info that I could gather. Kindly tell me if you require anything else. openldap = symas-openldap-silver-2.4-12.1 bdb = bundled with symas ( 4.6 ) configuration in slapd.conf *cachesize 427275* *idlcachesize 427275* (there are approx 427275 entries in the db so i've that as the cachesize.) *threads 2* (this is a server which has web applications also running. so we have reduced openldap threads to 2.) *sizelimit 1000 checkpoint 10240 10 lastmod on idletimeout 120 timelimit 360 gentlehup on* in DB_CONFIG, *set_cachesize 0 1985642496 1* (The total size of all .bdb files is 1813643264 bytes) cat /proc/cpuinfo shows 7 cpus. It has 4gb ram and 8gb swap. Thanks and Regards, Amol. ----- Original Message ----- From: Quanah Gibson-Mount Sent: 02/18/11 11:20 PM To: Amol Kulkarni, openldap-technical(a)openldap.org Subject: Re: BDB performance issue --On Friday, February 18, 2011 7:00 AM +0000 Amol Kulkarni <amolkulkarni(a)gmx.com> wrote: > Hi All, > I'm a newbie with bdb - and I have a server not performing well - > openldap shows high cpu usage and iowait of server is high. So I got > stats of bdb but I'm not sure what to make out of it. With help of > google I could see that the basic parameters like requested pages and > locks are ok. But there are other parameters which are suspect. > The output of db_stat -c is as follows : > Are the lines in red really prbs or just side effects ? How do I go abt > it ? Yes, those are definitely issues that need addressing. Unfortunately, you don't really provide any useful information that would help with resolving it. You also completely fail to note: OpenLDAP version BDB version --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Add GSSAPI to RootDSE ?
by Fabien COMBERNOUS 21 Feb '11

21 Feb '11

Hi the list, I want to add a supportedSASLMechanisms in my rootDSE : Today, i have all of this : ldapsearch -LLL -b "" -s base -x '(objectclass=*)' supportedSASLMechanisms dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 I want to add GSSAPI. To add this i created the following ldif file : cat /tmp/rootDSE dn: changetype: modify add: supportedSASLMechanisms supportedSASLMechanisms: GSSAPI Then with simple autentication (-x) i used my testing olcRootDN to modify the rootDSE : ldapadd -f /tmp/rootDSE -x -D "cn=admin,dc=server,dc=lan" -W Enter LDAP Password: modifying entry "" ldap_modify: Server is unwilling to perform (53) additional info: modify upon the root DSE not supported What i'm missing ? Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2011