remote credentials for local branch with authz-regexp
by Hugo Monteiro
Hello list,
I'm using translucent in a local server. That same server also has an
extra local database, which is a local only branch of the remote
database. This database is a subordinate and they glue together well.
Now, for the sake of management, i need to be able to identify to the
local database (rootdn) but using credentials from the remote database.
Assuming one has
translucent to remote - dc=example,dc=com
with remote admin user cn=admin,dc=example,dc=com
local - ou=localbranch,dc=example,dc=com
with rootdn admin user cn=admin,ou=localbranch,dc=example,dc=com
I tried the follwing on the local server
database hdb
suffix "ou=localbranch,dc=example,dc=com"
rootdn "cn=admin,ou=localbranch,dc=example,dc=com"
rootpw "secret"
directory "/var/lib/ldap/ou=localbranch,dc=example,dc=com"
index objectClass,sambaSID eq
lastmod on
authz-regexp
"cn=admin,dc=example,dc=com"
"cn=admin,ou=localbranch,dc=example,dc=com"
access to dn.base="ou=localbranch,dc=example,dc=com"
by * read
access to *
by dn="cn=admin,ou=localbranch,dc=example,dc=com" write
by dn="cn=admin,dc=example,dc=com" write
by * read
subordinate
The credentials used to connect to the remote server have full read only
access to the remote database.
So the problem is that when i try to authenticate using
cn=admin,dc=example,dc=com, to the local database branch, i can see the
bind request being transluced to the remote server without using the
authz-regexp map.
Any advice is appreciated,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
12 years, 7 months
How can I check ldap is working well?
by Olivier PAVILLA
After upgrading my server (Lenny to Squeeze). Something happened.
/var/lib/ldap was empty. Thanku very debian installer :)
I made a new /var/lib/ldap/DB_CONFIG
I restarted ldap with something like this /etc/init.d/slapd start
I looked my syslog tail -f /var/log/syslog
and it contents that :
Feb 23 13:46:13 unverre slapd[4660]: slap_client_connect:
URI=ldaps://coruscan2.dumpsize.fr:636
DN="cn=replicapalpatine,ou=useraccess,dc=dumpsize,dc=fr"
ldap_sasl_bind_s failed (-1)
Feb 23 13:46:13 unverre slapd[4660]: do_syncrepl: rid=008 rc -1 retrying
Feb 23 13:56:13 unverre slapd[4660]: syncrepl_message_to_entry: rid=008
mods check (objectClass: value #4 invalid per syntax)
Feb 23 13:56:13 unverre slapd[4660]: do_syncrepl: rid=008 rc 21 retrying
Feb 23 14:06:13 unverre slapd[4660]: syncrepl_message_to_entry: rid=008
mods check (objectClass: value #4 invalid per syntax)
Feb 23 14:06:14 unverre slapd[4660]: do_syncrepl: rid=008 rc 21 retrying
Anyone can translate this to me?
How can I check my ldap server is working well?
--
Olivier Pavilla << 仕事を探しています。求職中です。>>
S.C.I.R.C. Orléans (Bourgogne) - I.U.F.M. Centre-Val de Loire
72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1
Tel : 02-38-49-26-20 , mailto:olivier.pavilla@univ-ørleans.fr
http://blog.linux-squad.com - 僕の傑作です。
12 years, 7 months
authzTo now X-ORDERED?
by Michael Ströder
HI!
I'm trying to configure proxy authz with 2.4.24 without luck testing with
ldapwhoami -X.
Now I wonder if attribute 'authzTo' is now handled as X-ORDERED [1].
Unfortunately the subschema subentry does not contain a attribute type
description for 'authzTo'. The server adds prefix "{0}" to my authzTo
attribute value.
Ciao, Michael.
[1] http://tools.ietf.org/html/draft-chu-ldap-xordered-00
12 years, 7 months
Re: openldap problems authenticating
by Tim Dunphy
Hey guys
I took Quanah's advice and put the clear text password into
/etc/lapd.conf on the client.
I also noticed that the user account it was looking for was of a
posixAccount class. And I was missing the nis.shema. So I added
nis.schema to slapd.conf and restarted slapd and I was seeing the same
pattern. ldapsearches on the client were working just as they were
before and getents on the client were not. But I was seeing a new
error in the logs at this point:
Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SRCH
base="ou=staff,dc=summitnjhome,dc=com" scope=2 deref=0
filter="(objectClass=posixAccount)"
Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Feb 23 01:16:45 LBSD2 slapd[52517]: conn=1471 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on 1 descriptor
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on:
Feb 23 01:16:45 LBSD2 slapd[52517]: 12r
Feb 23 01:16:45 LBSD2 slapd[52517]:
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: read activity on 12
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 23 01:16:45 LBSD2 slapd[52517]: connection_read(12): input
error=-2 id=1471, closing.
Feb 23 01:16:45 LBSD2 slapd[52517]: connection_closing: readying
conn=1471 sd=12 for close
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: activity on 1 descriptor
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: waked
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 23 01:16:45 LBSD2 slapd[52517]: daemon: removing 12
Which from what I've googled means basically "object not found".
Now just to clarify a point of possible confusion... my user accounts
are unix posixAccounts that were migrated using the padl tools. Here's
what one of the user accounts looks like:
43 uid=bluethundr,cn=summitnjops,ou=staff,ou=Group,dc=summitnjhome,dc=com
uid: bluethundr
cn: Timothy P. Dunphy
givenName: Timothy P.
sn: Dunphy
mail: bluethundr(a)gmail.com
mailRoutingAddress: bluethundr(a)mail.summitnjhome.com
mailHost: mail.summitnjhome.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: ldapPublicKey
uidNumber: 1001
gidNumber: 10000
homeDirectory: /home/bluethundr
gecos: Timothy Dunphy
loginShell: /bin/bash
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ0zYn6FhQ1lKnvQ1K1GbXh8hdsXlXnnUYjLcNUqv7uMjjy0xDv03bnPU0Iyl1HcQcVFYPgcjB7mo3FZjZHd9bsHRwnY688FjPv/xE78+B
M8aDTuzb6czVA1X9ztc6Y6eNGYy1U4b3dseVFS+L2APkjaV5/RYPRH4mxJ8aNnrf+APaZvjtwPPEnxZST58QYdwtBvalLbgpDRTmGHrSEP2bJvUSR+iS3zC9xp90R0hFSVjd6jauXcxhkFLyG0nnmjc5sS5271
uxsXTfVFC1bHBasXL5ITFS63SpZErDWIVNwfVoR2tentddD6qJFd5ewTojRFDua3iqU4EJUl80RjmF
bluethundr(a)LCENT01.summitnjhome.com
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDlhRvFkT6wUAR3jw2h2Z0KV2/WsHPFkuXBD1BgzOQfR+PFhZDnt/zp44cLGwxa55RKEtFC+n/sjgmj99hKbn+0pPlGUGDuGqmWtMG45s+S
oDm9pRd8uzFccNYDLQ3POhfD2EbOarR45m7X42r821YO3ZeWnn3E1rCHarXrHXFX13sp9Jh8htNlWBCEjvs37S8VC9v5XW95BY8rhqrDGJrobmzDplUlHjgYjyBWx/BQxxgvmqQfKyS8i26+IelHcqRT5cgCSU
bFlPR3ouVu8eAgIE6gwKTuElIaTwJQ4QjBlaGaohEQRei0FWsfb7EzH1ikE34gJTdoaSnozU9MWc+f
tim@dunphy
userPassword: {CRYPT}crHJs4YTxefJE
I am trying to search the directory using the pam_ldap account which
is an inetOrgPerson account and looks like this:
3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}Cbk8VNyWQsXNmqt6n9GYDRcR0cnuA2sJ
This command does find the bluethundr account:
ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D
'cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b
'dc=summitnjhome,dc=com' '(uid=bluethundr)'
(currently I'm not using TLS until I get this mess sorted out)
And I am using this /etc/ldap.conf on the client which as I've
mentioned is centos 5.5
host 192.168.1.44
base ou=staff,ou=Group,dc=summitnjhome,dc=com
sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
I am definitely looking forward to an end to this vexing situation.
But once again let me state that I genuinely appreciate any time and
input you may be able to provide.
On Tue, Feb 22, 2011 at 6:02 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, February 22, 2011 5:52 PM -0500 Tim Dunphy
> <bluethundr(a)gmail.com> wrote:
>
>> Hello list,
>>
>> I am running an openldap 2.4 server under FreeBSD that was working
>> well until the config was tweaked by someone on the team without
>> properly documenting their work
>
>> bindpw {crypt}secret
>
> A few things:
>
> a) Crypt is non-portable
> b) That doesn't look like a valid crypt'd password
> c) You're going to need to set a plain text password to bind, regardless
>
> Try just changing "bindpw" to be "secret" and see what happens. If you want
> better security, use SASL/EXTERNAL or SASL/GSSAPI etc.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
12 years, 7 months
openldap problems authenticating
by Tim Dunphy
Hello list,
I am running an openldap 2.4 server under FreeBSD that was working
well until the config was tweaked by someone on the team without
properly documenting their work
# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)
host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep for ldap account shows ldap account on the ldap server itself succeeds
[root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
[root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
[root@LBSD2:/usr/local/etc/openldap] #
# /etc/ldap.conf on ldap client (centos 5.5)
host LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {crypt}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep getent passwd for ldap account on the client nothing turns up
after a long pause
[root@LCENT01:~] #getent passwd | grep walbs
[root@LCENT01:~] #
# nsswitch on the client
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap
#hosts: db files nisplus nis dns
hosts: files dns
# this is what's going on in the logs on the ldap server during th
getent from the #client
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
IP=192.168.1.42:53811 (IP=192.168.1.44:389)
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed
#ldap search from the client as the pam services account is able to
locate the ldap user info
[root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap
,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com'
'(uid=walbs)'
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (uid=walbs)
# requesting: ALL
#
# walbs, People, summitnjhome.com
dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
uid: walbs
cn: Walkiria Soares
givenName: Walkiria
sn: Soares
mail: walbs(a)example.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 1003
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#pam_ldap services account in the ldap directory
3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}secret
I have also tried doing anonymous binds on the client as well as using
plain text passwords. I get the same tag=97 err=49 messages on the
client either way.
This is the ldap software I have on the FreeBSD server:
LBSD2# pkg_info | grep -i ldap
ldapvi-1.7_2 A tool to update LDAP entries with a text editor
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5 A pam module for authenticating with LDAP
And this is what I am using on the Centos 5.5 client:
[root@LCENT01:~] #rpm -qa | grep -i ldap
python-ldap-2.2.0-2.1
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
ldapvi-1.7-10.el5
php-ldap-5.1.6-27.el5
openldap-clients-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
Some advice is sorely needed here. Thank you very kindly in advance!
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
12 years, 7 months
I've broken my installation
by Stuart Bailey
Hello,
I had a working openldap installation that I was developing some PHP to
manage. I'm using the ldap_bind PHP call without username & password, so it is
an anonymous bond.
I decided to have a clean install to verify everything was ok, so copied my
ldap config files, and reinstall on a clean system.
the problem is that now the anonymous bind will not work. I turned on all
debugging, and found the entry:
... do_bind: v3 anonymous bind
in the log. I'm guessing this means that anonymous bind is enabled, but still
my PHP code will not bind.
I'm not sure where to start to look for the problem.
Could someone please point me in the right direction. I can supply logs and
configs once I know where to look and what to send.
Many thanks,
Stuart
--
Stuart Bailey BSc (hons) CEng CITP MBCS
LinuSoft (Managing Director)
Linux Specialist & Software Developer
~~~~~~~~~~~~~~~~~~~~~~~
Phone: (0845) 658 3563
Direct: +44 (0)1953 878162
Fax: +44 (0) 1603 858583
~~~~~~~~~~~~~~~~~~~~~~~
http://www.linusoft.co.uk
http://www.bluetoothadvertising.org.uk
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
12 years, 7 months
merging local and remote attributes
by Hugo Monteiro
Hello list,
I have been trying to use translucent overlay to merge attributes
between a remote and a local server (both 2.4.23).
From the slapo-translucent man page i read:
"Attributes may be specified as both local and remote if desired."
and
"In any case, both the local and remote entries corresponding to a
search result will be merged before being returned to the client."
The thing is that if i specify an attribute (objectclass) to be both
local and remote, i can only get/search for the local entries. Choosing
either separately will work as advertised though.
Again, i ask if this is a bug, a subtlety i have missed or this is not
supposed to work with objectClass attribute?
Please advise,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
12 years, 7 months
Ipad/iPhone ldap setup
by Chris Jackson
I am having trouble accessing my openldap server over SSL using an iPhone/iPad/iPod Touch using ios 4.2.1. If I check the SSL box in the client setup on the iPhone/iPad/iPod Touch I get an error in the slapd log -- TLS negotiation Failure. With logging level 9 I get TLS accept failure error=-1 id=1.
Other clients work fine over SSL/StartTLS. Outlook, addressbook in osX 10.6, jxplorer.
I am using openldap 2.4.19-15 on RHEL6 with a comodo wildcard SSL cert.
Chris Jackson
12 years, 7 months
Re: BDB performance issue
by amolkulkarni@gmx.com
Hi,
I was not certain abt what info to put so I've given below all the info that I could gather. Kindly tell me if you require anything else.
openldap = symas-openldap-silver-2.4-12.1
bdb = bundled with symas ( 4.6 )
configuration in slapd.conf
*cachesize 427275*
*idlcachesize 427275*
(there are approx 427275 entries in the db so i've that as the cachesize.)
*threads 2*
(this is a server which has web applications also running. so we have reduced openldap threads to 2.)
*sizelimit 1000
checkpoint 10240 10
lastmod on
idletimeout 120
timelimit 360
gentlehup on*
in DB_CONFIG,
*set_cachesize 0 1985642496 1*
(The total size of all .bdb files is 1813643264 bytes)
cat /proc/cpuinfo shows 7 cpus.
It has 4gb ram and 8gb swap.
Thanks and Regards,
Amol.
----- Original Message -----
From: Quanah Gibson-Mount
Sent: 02/18/11 11:20 PM
To: Amol Kulkarni, openldap-technical(a)openldap.org
Subject: Re: BDB performance issue
--On Friday, February 18, 2011 7:00 AM +0000 Amol Kulkarni <amolkulkarni(a)gmx.com> wrote: > Hi All, > I'm a newbie with bdb - and I have a server not performing well - > openldap shows high cpu usage and iowait of server is high. So I got > stats of bdb but I'm not sure what to make out of it. With help of > google I could see that the basic parameters like requested pages and > locks are ok. But there are other parameters which are suspect. > The output of db_stat -c is as follows : > Are the lines in red really prbs or just side effects ? How do I go abt > it ? Yes, those are definitely issues that need addressing. Unfortunately, you don't really provide any useful information that would help with resolving it. You also completely fail to note: OpenLDAP version BDB version --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
12 years, 7 months
Add GSSAPI to RootDSE ?
by Fabien COMBERNOUS
Hi the list,
I want to add a supportedSASLMechanisms in my rootDSE :
Today, i have all of this :
ldapsearch -LLL -b "" -s base -x '(objectclass=*)' supportedSASLMechanisms
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
I want to add GSSAPI. To add this i created the following ldif file :
cat /tmp/rootDSE
dn:
changetype: modify
add: supportedSASLMechanisms
supportedSASLMechanisms: GSSAPI
Then with simple autentication (-x) i used my testing olcRootDN to
modify the rootDSE :
ldapadd -f /tmp/rootDSE -x -D "cn=admin,dc=server,dc=lan" -W
Enter LDAP Password:
modifying entry ""
ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported
What i'm missing ?
Regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
12 years, 7 months