I am trying to setup an OpenLDAP server in my DMZ to proxy requests
from Software as a Service vendors to my internal Active Directory
domain. Specifically, I want to disallow anonymous access; make
access read only; and restrict access to return only displayName,
distinguishedName, mail, proxyAddresses, member, memberOf,
mailNickname, and homeMDB. I also need to provide authentication
capability for single sign on at the vendor.
I don't think I have a proper understanding of OpenLDAP's ACLs, yet,
so I am probably missing some things. I may even be approaching this
completely wrong. I suspect I need to add "auth" access somewhere.
Currently, I receive "result: 50 Insufficient access" when I try to
query the OpenLDAP server.
I don't have an authentication trace yet from the SaaS vendor, but it
if it work like Cisco Ironport, it will try to bind to the LDAP server
using the user's supplied credentials and look for a success, then
switch back to using the LDAP query account.
Thanks for any assistance,
#Disallow anonymous binds
#### Define access to Active Directory
# Set proxy to read-only
#List domain controllers to access. ldap for non-SSL/debug & ldaps for
# set chase-referrals to no to keep from querying all DCs
### access lists
# Allow defined access to Active Directory, deny all others.
access to dn.subtree="dc=example,dc=com"
by * none
# Deny access to all undefined resources by all undefined users
access to *
by * none
attributetype ( 1.2.840.1135126.96.36.199
SYNTAX '188.8.131.52.4.1.14184.108.40.206.15' )
attributetype ( 1.2.840.1135220.127.116.11
SYNTAX '18.104.22.168.4.1.1422.214.171.124.12' )
attributetype ( 1.2.840.1135126.96.36.1997
SYNTAX '188.8.131.52.4.1.14184.108.40.206.15' )
I'm making a openldap slave server of my PDC server and I installed
ubuntu 9.04 with openldap 2.4.15. I just copy /etc/ldap/ and I check
it, but fails when starts. Logs (syslog) said:
slapd: @(#) $OpenLDAP: slapd 2.4.15 (Jul 30 2010 00:41:48) $
slapd: config error processing
slapd: slapd stopped.
slapd: connections_destroy: nothing to destroy.
I check all permissions and are the same of my PDC server. Any guide
to make it correctly?
Thanks And best Regards
I have installed openldap 2.4.23 on windows server 2003. when I run this
query on ldapsearch:
ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)"
I get the following error:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem.
any one know whats the issue and how can it be solved?
We are in the final stage of single sign on project. We are looking to integrate Active directory with LDAP. But our MS Domain ppolicy is different than LDAP ppolicy.
My question is do the policies have to be identical for the integration to work?
Please I wanna know if it's possible to bind OpenLDAP server to Canon
Printer machine so users can authenticate before use?
System Administrator - Metropolitan College
2 Hennie Van Till, White River, 1240
erickom(a)kom.za.net | erickom(a)namekom.co.za | erickom(a)erickom.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za
Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5
Never mind, I just need to compile it using ./configure --enable-memberof,
and that solved the problem.
2011/5/16 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On May 16, 2011 6:17:37 PM -0400 JOSE L MARTINEZ-AVIAL <jlmagc(a)gmail.com>
> I did that, and the problem is that I compiled openldap without enabling
>> the modules. The issue now is that it fails to compile when I enable the
>> modules because libtools-ldtd is not installed, and that seems to be
>> related with the fact the I use RHEL4, which doesn't include that library.
> So download and build it yourself. ;)
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> Zimbra :: the leader in open source messaging and collaboration
I've built openldap2.4.23 in my RHEL4, and it works fine. I'm able to do
queries, updates, etc. But when I try to use the overlay memberof, the
server does not start. It doesn't give any error message, it just fails to
start. It works if I put the moduleload memberof.la, but the moment I add
the overlay memberof, it just doesn't work. Any ideas about what I'm doing
Do know of any manual/howto/doc about how to configure linux gid's
thru openldap? This is, my openldap tree assigns different groups to
my linux user, then i run:
and i get all the groups I'm part of. But, I repeat the operation:
and I just lost all the secondary groups. All this with SLES9+openldap
Thanks in advance,
Consultor Senior Novell - mparra(a)novell.com
openSUSE Developer - mauro(a)openSUSE.org
BB PIN - 22600AE9
problem has been solved, thank you.
Since I was using slackware without PAM, I wasn't able to
auth as an ldap user. nsswitch.conf was good, nss_ldap was
installed but I needed PAM for the auth part.
After installing PAM and having it configured, auth is working.
I now need to recompile most of my files in order to get su, ssh and
other programs to work with LDAP auth (and PAM).
Le 05/10/2011 03:01 PM, Johnny PINSON a écrit :
> I installed an openldap client and nss_ldap on a linux computer running
> slackware. Then I modified /etc/nsswitch.conf, adding ldap to authentify
> thanks a ldap server.
> The commands "getent password" and "id" are working. When I'm root and
> doing a "su $user", I'm able to su as $user. But, if I try to log in as
> $user, I get everytime an "invalid password".
> What can I do please to get i working? Would you need copy of my config
> Thanks a lot,
> Johnny PINSON
I'm having some problems understanding the subtleties of MirrorMode vs
MultiMaster configurations. Any help with the following questions would
1) It looks like the only real difference between a MirrorMode and
Multimaster configuration is whether or not the RIDs are different. In
MirrorMode both sides have the same rid, in Multimaster they are
different. Is that so?
2) Passing through the code, "MirrorMode" is really "Single Master" and
MultiMaster is just "not Single Master". But the code path to determine
whether it is single master or not confuses me. How does slapd actually
3) For MultiMaster, the docs show using syncrepl to replicate cn=config
and the directory (or directories if you have more than one)
independently. Is it really necessary to replicate cn=config if the
configuration isn't changing? (What I'm really looking for here is to
find out if there is state information in cn=config thats being used or
if its simply a good idea to ensure the configs are the same by using