openldap-technical May 2011

openldap-technical@openldap.org

91 participants
81 discussions

Restricted Active Directory Proxy for SaaS Vendors
by Nanoic Dalflanlun 17 May '11

17 May '11

I am trying to setup an OpenLDAP server in my DMZ to proxy requests from Software as a Service vendors to my internal Active Directory domain. Specifically, I want to disallow anonymous access; make access read only; and restrict access to return only displayName, distinguishedName, mail, proxyAddresses, member, memberOf, mailNickname, and homeMDB. I also need to provide authentication capability for single sign on at the vendor. I don't think I have a proper understanding of OpenLDAP's ACLs, yet, so I am probably missing some things. I may even be approaching this completely wrong. I suspect I need to add "auth" access somewhere. Currently, I receive "result: 50 Insufficient access" when I try to query the OpenLDAP server. I don't have an authentication trace yet from the SaaS vendor, but it if it work like Cisco Ironport, it will try to bind to the LDAP server using the user's supplied credentials and look for a success, then switch back to using the LDAP query account. Thanks for any assistance, Nanoic -------------------------Begin slapd.conf------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/saas.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/openldap.log loglevel none #Disallow anonymous binds disallow bind_anon #### Define access to Active Directory database ldap # Set proxy to read-only readonly on suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rebind-as-user #List domain controllers to access. ldap for non-SSL/debug & ldaps for SSL/production uri "ldap://DomainController1" uri "ldap://DomainController2" lastmod off # set chase-referrals to no to keep from querying all DCs chase-referrals no ### access lists # Allow defined access to Active Directory, deny all others. access to dn.subtree="dc=example,dc=com" attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB by dn.exact="CN=saasqueryacct,OU=Service Accounts,DC=example,DC=com" read by * none # Deny access to all undefined resources by all undefined users access to * by * none -------------------------End slapd.conf------------------------- -------------------------Begin saas.schema------------------------- attributetype ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) attributetype ( 1.2.840.113556.1.2.244 NAME 'homeMDB' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) attributetype ( 1.2.840.113556.1.2.447 NAME 'mailNickname' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -------------------------End saas.schema-------------------------

1 0

problem making a copy of ldap
by deconya 17 May '11

17 May '11

Hi guys I'm making a openldap slave server of my PDC server and I installed ubuntu 9.04 with openldap 2.4.15. I just copy /etc/ldap/ and I check it, but fails when starts. Logs (syslog) said: slapd[30344]: @(#) $OpenLDAP: slapd 2.4.15 (Jul 30 2010 00:41:48) $ ^Ibuildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd slapd[30344]: config error processing olcOverlay={0}syncprov,olcDatabase={0}config,cn=config: slapd[30344]: slapd stopped. slapd[30344]: connections_destroy: nothing to destroy. I check all permissions and are the same of my PDC server. Any guide to make it correctly? Thanks And best Regards

2 4

authentication problem
by Mohammad D 17 May '11

17 May '11

Hi all I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?

5 8

AD and Openldap integration
by Darouichi, Aziz 17 May '11

17 May '11

Hi, We are in the final stage of single sign on project. We are looking to integrate Active directory with LDAP. But our MS Domain ppolicy is different than LDAP ppolicy. My question is do the policies have to be identical for the integration to work? Thanks, Aziz

1 0

LDAP with Canon IRC2380
by Metropolitan College <Eric Kom> 17 May '11

17 May '11

Hi all! Please I wanna know if it's possible to bind OpenLDAP server to Canon Printer machine so users can authenticate before use? -- -- YouTruly Eric Kom System Administrator - Metropolitan College 2 Hennie Van Till, White River, 1240 erickom(a)kom.za.net | erickom(a)namekom.co.za | erickom(a)erickom.co.za www.kom.za.net | www.kom.za.org | www.erickom.co.za Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5

2 1

Re: overlay memberof fails
by JOSE L MARTINEZ-AVIAL 16 May '11

16 May '11

Never mind, I just need to compile it using ./configure --enable-memberof, and that solved the problem. Thanks! 2011/5/16 Quanah Gibson-Mount <quanah(a)zimbra.com> > > > --On May 16, 2011 6:17:37 PM -0400 JOSE L MARTINEZ-AVIAL <jlmagc(a)gmail.com> > wrote: > > I did that, and the problem is that I compiled openldap without enabling >> the modules. The issue now is that it fails to compile when I enable the >> modules because libtools-ldtd is not installed, and that seems to be >> related with the fact the I use RHEL4, which doesn't include that library. >> > > So download and build it yourself. ;) > > > --Quanah > > > -- > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

1 1

overlay memberof fails
by JOSE L MARTINEZ-AVIAL 16 May '11

16 May '11

Hi, I've built openldap2.4.23 in my RHEL4, and it works fine. I'm able to do queries, updates, etc. But when I try to use the overlay memberof, the server does not start. It doesn't give any error message, it just fails to start. It works if I put the moduleload memberof.la, but the moment I add the overlay memberof, it just doesn't work. Any ideas about what I'm doing wrong? Thanks Jose Luis

2 3

Storing secondary gid's in openldap
by Mauro Parra 16 May '11

16 May '11

Hello, Do know of any manual/howto/doc about how to configure linux gid's thru openldap? This is, my openldap tree assigns different groups to my linux user, then i run: $ id uid=1000(mauro) gid=1000(mauro) groups=4(adm),20(dialout),24(cdrom),44(video),46(plugdev),104(lpadmin),115(admin),120(sambashare),1000(mauro) and i get all the groups I'm part of. But, I repeat the operation: $ id uid=1000(mauro) gid=1000(mauro) and I just lost all the secondary groups. All this with SLES9+openldap 2.2.3-43. Thanks in advance, Mauro -- Saludos, Mauro Parra-Miranda Consultor Senior Novell - mparra(a)novell.com openSUSE Developer - mauro(a)openSUSE.org BB PIN - 22600AE9

2 1

Re: Auth problem with openldap and nss_ldap
by Johnny PINSON 16 May '11

16 May '11

Hye, problem has been solved, thank you. Since I was using slackware without PAM, I wasn't able to auth as an ldap user. nsswitch.conf was good, nss_ldap was installed but I needed PAM for the auth part. After installing PAM and having it configured, auth is working. I now need to recompile most of my files in order to get su, ssh and other programs to work with LDAP auth (and PAM). Thank you, Johnny PINSON Le 05/10/2011 03:01 PM, Johnny PINSON a écrit : > Hey, > > I installed an openldap client and nss_ldap on a linux computer running > slackware. Then I modified /etc/nsswitch.conf, adding ldap to authentify > thanks a ldap server. > > The commands "getent password" and "id" are working. When I'm root and > doing a "su $user", I'm able to su as $user. But, if I try to log in as > $user, I get everytime an "invalid password". > > What can I do please to get i working? Would you need copy of my config > files? > > Thanks a lot, > > Johnny PINSON > >

1 0

MirrorMode vs MultiMaster Questions
by Ben Rockwood 16 May '11

16 May '11

I'm having some problems understanding the subtleties of MirrorMode vs MultiMaster configurations. Any help with the following questions would be helpful: 1) It looks like the only real difference between a MirrorMode and Multimaster configuration is whether or not the RIDs are different. In MirrorMode both sides have the same rid, in Multimaster they are different. Is that so? 2) Passing through the code, "MirrorMode" is really "Single Master" and MultiMaster is just "not Single Master". But the code path to determine whether it is single master or not confuses me. How does slapd actually determine this? 3) For MultiMaster, the docs show using syncrepl to replicate cn=config and the directory (or directories if you have more than one) independently. Is it really necessary to replicate cn=config if the configuration isn't changing? (What I'm really looking for here is to find out if there is state information in cn=config thats being used or if its simply a good idea to ensure the configs are the same by using syncrepl.) Thanks, benr.

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2011