seeking guidance with back-shell setup
by Elle Y Suzuki
hello,
my thunderbird does not appear to be using back-shell's searchexample.sh..?
i have compiled openldap on a desktop windows xp machine with the
back-shell backend enabled without threads.
slapd.conf is configured as suggested in the file searchexample.conf at
http://tinyurl.com/47t9ets. i have added the file searchexample.sh from
http://tinyurl.com/4823rtf in the appropriate directory. i start up slapd,
/usr/local/libexec/slapd -d 256 -h ldap://localhost
and it appears to fire up:
$ /usr/local/libexec/slapd -d 256 -h ldap://localhost
@(#) $OpenLDAP: slapd 2.4.24 (Feb 14 2011 09:29:58)
.
.
.
WARNING: No dynamic config support for database shell.
slapd starting
i configured thunderbird with a localhost ldap directory server
(localhost, port 389), leaving 'base dn' and 'bind dn' blank.
in attempting to test this searchexample.sh script, i open a new message
and type an entry that i know appears in the /etc/passwd file. i see
output in my cygwin window that is running slapd with lines including
"BIND", "SRCH", "SEARCH RESULT", etc., but the tbird compose message
window's "To:" field shows a "<LDAP server search problem>" which i
click on and produces a pop-up with
"Error code 32: No such object
Verify that the Base DN is correct, and then try again, or else contact
your System Administrator. To verify that the Base DN is correct, from
the Edit menu, choose Preferences, then choose Mail & Newsgroups, and
then choose Addressing. Click Edit Directories, and select the LDAP
server being used. Click Edit to display the Base DN."
however, if i were to include 'base dn' info in tbird, slapd output
reports a 'fatal error' with a stack trace.
meanwhile, the slapd output is as follows:
conn=1002 op=3 SRCH base="" scope=2 deref=0
filter="(|(cn=suzuki*)(mail=suzuki*)
(sn=suzuki*))"
conn=1002 op=3 SRCH attr=cn mail
conn=1002 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
several questions arise:
1. should 'base dn' and/or 'bind dn' in tbird remain blank for localhost
ldap?
2. aside from what is noted in searchexample.conf above, are any of the
other lines necessary in slapd.conf (rootdn, index, directory -- slapd
complains if directory is made available, despite the referenced file
existing).
3. what else can i do to get tbird to make use of the searchexample.sh
file and report as such in the slapd output?
4. in running slapd, i see the message,
"WARNING: No dynamic config support for database shell"
From this (similar) thread,
http://tinyurl.com/457tra6
do i understand correctly that i should still be able to utilize a shell
backend, then?
my current goal is the following: get slapd to run with a shell backend
and thunderbird on my local desktop. our team's overall goal is to
enable this setup on a linux server: we'd like to eliminate our ldap
server and utilize this slapd+back-shell mechanism to access our oracle
db for our ldap clients. once we are able to get this all working with
back-shell, we'd like to replace the shell role with php scripts. any
guidance on this task in general is greatly appreciated.
my apologies in advance for any silly questions: i am new to playing
with (open)ldap, and have been staring at this problem for much too long.
thank you in advance.
12 years, 9 months
ldap design
by Hendrik van der Ploeg
Hello People,
I'm in doubt what design I need to use for openldap
This is the situation;
We have 1200+ customers using LDAP. We want to replicate all these ldap
server to 1 big ldapserver in a datacentre with a multi-master config.
So all the customers are a master-ldap who replicate to the datacentre.
My idea was to build in the datacentre a ldapcluster of about 4 server
My question is:
Will this be stable, because there will be 1200+ ldapservers replicating
to 4 ldapserver in the datacentre.
I know this depends on the number of write actions at the customers. All I
can say is that write actions at the customers isn't THAT much.
I really hope somebody can give me an answer or maybe there's somebody
else with the same config
Best Regards
--
Hendrik van der Ploeg
12 years, 9 months
ldap not respoding
by Prathyush
HI,
Will huge size of slapd.log cause slapd service to hang
--
*Regards,
Prathyush*
12 years, 9 months
search LDAP back-sql entry with two objectclasses (structural and auxiliary)
by Andreas Härtel
Hello,
I am running a LDAP server on a debian system with a mySQL database as
backend.
slapd-version:
$OpenLDAP: slapd 2.4.11 (Jul 24 2010 08:14:20)
$@murphy:/build/buildd-openldap_2.4.11-1+lenny2-i386-H5BDjb/openldap-2.4.11/debian/build/servers/slapd
mysql-version:
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using
readline 5.2
Everything is running fine if I am searching the LDAP tree for data
containing only one objectClass (inetOrgPerson). Now I have add a second
auxiliary objectClass (mozillaAbPersonAlpha) to my data via
ldap_entry_objclasses table in the mySQL database, but a search only
results in the three inetOrgPerson fields I have set:
ldapsearch -LLL -s sub -b 'ou=contacts,ou=contacts,dc=...'
'objectclass=*' -D 'cn=USER' -w unsafe-password -x
dn: ou=contacts,ou=contacts,dc=...
objectClass: organizationalUnit
objectClass: inetOrgPerson
objectClass: mozillaAbPersonAlpha
ou: contacts
dn: cn=Name Firstname,ou=contacts,ou=contacts,dc=...
objectClass: inetOrgPerson
cn: Name Firstname
sn: Name
givenName: Firstname
If I switch the dependency in the ldap_entries table from inetOrgPerson
to the mozilla scheme, I get the mozilla fields but - e.g. in
phpldapadmin - I can not see any data (also in my thunderbird
addressbook). My opinion: mozilla scheme is not structural.
Perhaps this old mailing-list entry gives an answer but - for me myself
- no solution:
http://www.openldap.org/lists/openldap-software/200403/msg00303.html
Hope, someone has any idea about this problem ... !?
Tanks a lot,
Andreas
My /etc/ldap/slapd.conf file (parts of it):
#################################################################
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/extension.schema
include /etc/ldap/schema/mozillaAbPersonAlpha.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_sql
sizelimit 500
tool-threads 1
backend hdb
backend sql
database sql
suffix "ou=contacts,ou=contacts,dc=...
dbname contacts
dbhost localhost
dbuser myuser
dbpasswd mypassword
lastmod off
has_ldapinfo_dn_ru no
upper_func "upper"
access to dn.subtree="ou=contacts,ou=contacts,dc=...
by dn="cn=admin,dc=..." peername.ip=127.0.0.1 write
by dn="cn=user" read
by * none
#################################################################
I thought about ataching my database entries but this could be too long.
If there should be questions about it, please let me know.
12 years, 9 months
Re: ldap auth does not works after openldap upgrade
by Andrew Findlay
On Tue, Feb 15, 2011 at 02:13:40PM -0200, Leonardo Carneiro wrote:
> To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>
Please keep replies on the list so that other people can
benefit from the discussion in future.
> > Aha! How many entries did that search return? Was is about the same
> > number that you would expect given your users and groups?
> yep. they are all there.
> > Did you previously have the LDAP server set up to refuse data to
> > anonymous users?
> No, it could bind as anonymous and read any data.
In that case leave the database alone: the problem is in the
configuration. Please post the slapd config. We need to see
all of it except for any passwords.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 9 months
Autogroup strange behaviour
by Luca Scamoni
Hi,
I'm using autogroup overlay (OpenLDAP 2.4.23, autogroup v. 1.2.2.11
but the behaviour was the same with 1.2.2.6) and I'm facing a strange
situation.
Operations performed using openldap client tools work as expected. The
same operations performed using a java client do not.
I've restricted the problematic operations to modifications of existing
entries. Using attached slapd.conf and ldap.ldif it's quite simple to
reproduce it.
Using openldap ldapmodify client:
cn=user2,ou=people,dc=example,dc=com
add: description
description: test
modifies the entry AND triggers autogroup modify operation on group
cn=description adding user2 as a member of the group (see slapd.log.ok.add)
The same operation performed with JExplorer modifies the entry but does
NOT triggers autogroup modification (see slapd.log.java.add)
I've compared the two logs and overlay related modifications are
completely skipped in the java client test.
Anyone has an explanation?
Note: adding a new entry or deleting an existing one (if it matches any
of the criteria in memberUrl) works even with Jexplorer.
thanks
--
/Luca Scamoni
/
*Gruppo Partners Associates*
Tel. Milano +39 02 67380435**- Udine +39 0432 689815 - Roma +39 06 54832300
Fax Milano +39 02 67386214 - Udine +39 0432 570120 - Roma +39 06 91659273
Cell. +39 348 0471710
Email: Luca.Scamoni(a)GruppoPA.it <mailto:Luca.Scamoni@GruppoPA.it>
Sito: _www.GruppoPA.it_ <http://www.GruppoPA.it>
Prima di stampare, pensa all'ambiente ** Think about the environment
before printing
12 years, 9 months
slapd.conf for proxy to AD
by Del
Hi,
Like a lot of people I guess, I'm having trouble configuring slapd to work as a proxy server in
front of Microsoft's Active Directory. AD in this case is configured to refuse to allow
anonymous searches but I want to allow anonymous searches on the proxy. Therefore the
configuration I'm hoping for is:
* Anonymous binds to slapd get translated into an authenticated bind to AD.
* Authenticated binds to slapd have their credentials (DN and password) passed through to AD.
Here's what I have so far, based on the documentation. I'm using slapd.conf rather than the
new conf.d directory based config, and I'm currently running openldap 2.4.19:
--
database ldap
chase-referrals no
suffix "MY-AD-SUFFIX-HERE"
uri "ldaps://MY-AD-SERVER-HERE/"
cancel abandon
acl-bind bindmethod=simple binddn="VALID-BIND-DN" credentials="VALID-PASSWORD"
idassert-bind bindmethod=simple binddn="VALID-BIND-DN credentials="VALID-PASSWORD"
mode=legacy flags=non-prescriptive
idassert-authzFrom "dn.regex:.*"
access to * by * read
--
You can assume I've used valid bind DNs, suffixes, server names and passwords in the places
where I've resorted to capitals above. I've tested these binds from the command line directly
against the AD server and they all work.
I have tested the above on OpenLDAP 2.3, it works for anonymous binds if and only if a
successful authenticated bind is done first. The same was reported in this post:
http://www.openldap.org/lists/openldap-technical/200907/msg00043.html
In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all attempts at anonymous
bind seem to fail. A similar problem was reported while upgrading to 2.3.11 to 2.3.27, here:
http://www.openldap.org/lists/openldap-software/200701/msg00055.html
Am I using the correct configuration directives to achieve what I want, and if not what should
I be using?
Thanx,
--
Del
12 years, 9 months
ldap auth does not works after openldap upgrade
by Leonardo Carneiro
Hello everyone,
I upgraded my debian machine from lenny to squeeze (the new stable)
that comes with samba 3.5.6 and openldap 2.4.23. this machines works
primarily as a PDC.
i have 3 services authenticating on ldap: samba, apache and redmine.
samba is acting very weird, but it's kinda working, but redmine and
apache aren't working at all.
these services do bind to the server, but it cannot find the users.
also, i cannot execute ldapsearchs via CLI. plus, in the bash, when i
try to change to some user other than root (eg: lscarneiro), the
system does not recognize the user:
fileserver:~# su - lscarneiro
I have no name!@fileserver:~$ whoami
whoami: cannot find name for user ID 1130
i'm very VERY noob on ldap and don't know exactly what kind of info i
should give to you guys to get some help. any help is very welcome
12 years, 9 months
big company with different affiliates, how to integrate?
by Pieter Baele
How would you integrate several companies with one mother company?
(where our Linux team and IT is part of)
We need to implement different OpenLDAP servers because of
policies...yeaha... ;-)
But I'm not sure how to do this.
My opinion:
Each company needs his own pair of multi-master LDAP servers. (for HA)
Each LDAP server pair belongs to one of the affiliates and there has
to be a 'chinese wall' between those (if possible)
Off course it should not be possible for employees from company A to
authenticate through the LDAP server of company B.
Except for esx, kvm and other virtualization hosts each server belongs
also to only 1 of these subcompanies.
But for me and other admins it should be possible to access and manage
all servers using the same password and tooling (like puppet with LDAP...)
My idea was some combination of chaining, proxy... (or other overlays).
We could use the LDAP server of the mother company as the last part of
some chain.
The DIT / right structure is also still an issue for me (I'm not an LDAP expert)
Other nice to haves are some AD integration and kerberos, but this has
nothing to do with my question :-)
--
Sincerely,
Pieter Baele
www.pieterb.be
12 years, 9 months
How to use LDAP_OPT_CONNECT_ASYNC?
by Ian Puleston
Hi,
I'm trying to use the new LDAP_OPT_CONNECT_ASYNC with OpenLDAP 2.4.23 client and I can't see how it can be done.
After creating the connection structure via ldap_initialize() I then call ldap_sasl_bind() to do the bind. That calls down to ldap_new_connection() (ldap_sasl_bind -> ldap_send_initial_request -> ldap_open_defconn -> ldap_new_connection) and that implements the asynchronous connect, setting the lconn_status to LDAP_CONNST_CONNECTING and not calling ldap_int_poll() in ldap_pvt_connect().
So far so good. But ldap_send_initial_request() then gets a good return code from ldap_open_defconn(), and so it goes on to call ldap_send_server_request() to send the bind, and that then calls ldap_int_poll() which waits for the connect to complete, making the whole operation synchronous.
It seems to me that for this to work asynchronously, either:
1. ldap_send_initial_request() should check for lconn_status to LDAP_CONNST_CONNECTING on return from ldap_open_defconn(), and if it is then return, probably with error LDAP_X_CONNECTING. It should then be possible to re-call ldap_sasl_bind() when the connect has completed.
2. Establish the connection via ldap_new_connection() before calling ldap_sasl_bind(). But the functions to do that don't appear to be available on the API. ldap_open() could have probably done it, but it is now deprecated. So this would appear to require a new API function that would simply call ldap_open_defconn() and return LDAP_X_CONNECTING.
Or is there some other way to achieve this?
Ian
12 years, 9 months