openldap-technical May 2011

openldap-technical@openldap.org

91 participants
81 discussions

Administrator for groups OpenLDAP with Samba Admins
by Juan Diego Calle 16 May '11

16 May '11

Hi, For weeks I have being reading about openldap, in the mailing lists, etc. Basically I have Samba with ldap and I need a GUI to administrate the users(I can use smbldap-tools and a shell, but not some of the administrators). I installed phpldapadmin, and I can log in with the user "Administrator", but I can change, remove or add any user or anything. I have read about people that have similar configurations to mine and solve this problem. Besides the user interface everything seems to work fine, the machines are logged to the domain, the samba server is a PDC. As far as I understand I need to create an ACL in /etc/openldap/slapd.conf for the group that is going to administrate, and the problem is because I am trying to grant permisions to the Group "Domain Admins", and domain admins is more like samba group. So far I can figure out why is not working the stuff I try, but I dont know how to fix it. It has to do with the objectclass. One of my ideas was to create an extra group, just for administrators, and called something like bofhs. I used this as a reference http://www.openldap.org/faq/data/cache/52.html dn: cn=bofh,dc=mydomain,dc=com,dc=ec cn: bofhs objectclass: groupofNames member: cn=administrator,dc=mydomain,dc=com,dc=ec Can I add something to the "Domain Admins" group so they can change data. But i had problems creating this group, didnt work, in some examples they use ou=Group, I dont understand what the ou thing does. Here is a sample of a backup of the ldap db, dn: dc=mydomain,dc=com,dc=ec objectClass: dcObject objectClass: organization o: Company dc: mydomain structuralObjectClass: organization entryUUID: 9c8201ce-ccc9-102f-9758-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210326Z entryCSN: 20110214210326Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210326Z dn: cn=Manager,dc=mydomain,dc=com,dc=ec objectClass: organizationalRole cn: Manager structuralObjectClass: organizationalRole entryUUID: 9c82917a-ccc9-102f-9759-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210326Z entryCSN: 20110214210326Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210326Z dn: ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: People structuralObjectClass: organizationalUnit entryUUID: b071f8b0-ccc9-102f-975a-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Group structuralObjectClass: organizationalUnit entryUUID: b0727074-ccc9-102f-975b-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: ou=Computers,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Computers structuralObjectClass: organizationalUnit entryUUID: b072cd3a-ccc9-102f-975c-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000002#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: ou=Idmap,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: organizationalUnit ou: Idmap structuralObjectClass: organizationalUnit entryUUID: b07343a0-ccc9-102f-975d-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000003#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec cn: Administrator sn: Administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\IESS\Administrator sambaHomeDrive: H: sambaProfilePath: \\IESS\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-512 sambaSID: S-1-5-21-2323392562-1448967901-2038806033-500 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: b0739f26-ccc9-102f-975e-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z sambaLMPassword: 71DAB35FA93A2AB817306D272A9441BB sambaAcctFlags: [U] sambaNTPassword: AB9EA058E462D1881CD7AAC70FC462F2 sambaPwdLastSet: 1305237753 sambaPwdMustChange: 1309125753 userPassword:: e1NTSEF9Mnl6SUJjNTZEN1AxaW5oVmhFaE05dWtLNE1CdGR6Tkw= shadowLastChange: 15106 shadowMax: 45 entryCSN: 20110512220224Z#000001#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110512220224Z dn: uid=nobody,ou=People,dc=mydomain,dc=com,dc=ec cn: nobody sn: nobody objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\IESS\nobody sambaHomeDrive: H: sambaProfilePath: \\IESS\profiles\nobody sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-2998 loginShell: /bin/false structuralObjectClass: inetOrgPerson entryUUID: b07615da-ccc9-102f-975f-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000005#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Domain Admins,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators sambaSID: S-1-5-21-2323392562-1448967901-2038806033-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: b0769776-ccc9-102f-9760-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000006#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: b07735b4-ccc9-102f-9761-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z memberUid: user1 memberUid: user2 memberUid: user3 entryCSN: 20110511142120Z#000002#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110511142120Z dn: cn=Domain Guests,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-2323392562-1448967901-2038806033-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: b077a364-ccc9-102f-9762-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000008#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Domain Computers,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-2323392562-1448967901-2038806033-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: b0781966-ccc9-102f-9763-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#000009#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Administrators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: b07892b0-ccc9-102f-9764-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000a#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Account Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 5 displayName: Account Operators structuralObjectClass: posixGroup entryUUID: b07907c2-ccc9-102f-9765-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000b#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Print Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators structuralObjectClass: posixGroup entryUUID: b079790a-ccc9-102f-9766-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000c#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Backup Operators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators structuralObjectClass: posixGroup entryUUID: b079eab6-ccc9-102f-9767-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000d#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: cn=Replicators,ou=Group,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators structuralObjectClass: posixGroup entryUUID: b07a6950-ccc9-102f-9768-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z entryCSN: 20110214210400Z#00000e#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210400Z dn: sambaDomainName=IESS,dc=mydomain,dc=com,dc=ec structuralObjectClass: sambaDomain entryUUID: b07ad228-ccc9-102f-9769-316f6ec95723 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210400Z sambaPwdHistoryLength: 0 sambaLockoutThreshold: 0 sambaMaxPwdAge: -1 gidNumber: 1000 uidNumber: 1000 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-2323392562-1448967901-2038806033 sambaNextRid: 1000 sambaDomainName: IESS entryCSN: 20110512220215Z#000000#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110512220215Z dn: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user1 sn: user1 givenName: user1 uid: user1 uidNumber: 1002 gidNumber: 513 homeDirectory: /home/user1 loginShell: /bin/false gecos: System User userPassword:: e2NyeXB0fXg= structuralObjectClass: inetOrgPerson entryUUID: e660228a-ccc9-102f-9447-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210530Z sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: rloor sambaAcctFlags: [UX] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3004 sambaLMPassword: XXX sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaNTPassword: XXX sambaLogonScript: logon.bat sambaHomePath: \\IESS\user1 sambaHomeDrive: H: entryCSN: 20110214210530Z#000006#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210530Z dn: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user2 sn: user2 givenName: user2 uid: user2 uidNumber: 1003 gidNumber: 513 homeDirectory: /home/user2 loginShell: /bin/false gecos: System User userPassword:: e2NyeXB0fXg= structuralObjectClass: inetOrgPerson entryUUID: e692c104-ccc9-102f-9448-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210530Z sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: user2 sambaAcctFlags: [UX] sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3006 sambaLMPassword: XXX sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaNTPassword: XXX sambaLogonScript: logon.bat sambaHomePath: \\IESS\user2 sambaHomeDrive: H: entryCSN: 20110214210530Z#00000b#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110214210530Z dn: uid=user3,ou=People,dc=mydomain,dc=com,dc=ec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: user3 sn: user3 givenName: user3 uid: user3 uidNumber: 1204 gidNumber: 513 homeDirectory: /home/user3 loginShell: /bin/false gecos: System User structuralObjectClass: inetOrgPerson entryUUID: e6c4c500-ccc9-102f-9449-ffc7e9a6c1f6 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110214210531Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: user3 sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3008 sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513 sambaLogonScript: logon.bat sambaHomePath: \\IESS\user3 sambaHomeDrive: H: sambaLMPassword: 57D26D340E8A2411AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 79715183CF6136D501018FF3F5C381E4 sambaPwdLastSet: 1297878031 sambaPwdMustChange: 1301766031 userPassword:: e1NTSEF9MXQ3dHJoWUxRT05hUnFuQWQ0N3A5QTAwQUNkR05tZGg= shadowLastChange: 15021 shadowMax: 45 entryCSN: 20110216174031Z#000003#00#000000 modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec modifyTimestamp: 20110216174031Z And here is my slapd.conf, I erased the acls I created to test most of it, none worked. # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #access to * # by self write # by users read # by anonymous auth #access to attrs=userpassword # by self =xw # by anonymous auth by anonymous auth #access to * # by self write # by users read access to attrs=userpassword by self write by anonymous auth by * none access to * by self write by users read by anonymous read by * none access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write #access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org" #by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write #by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write #by * none by * none ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=mydomain,dc=com,dc=ec" rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM # Extras para ser servidor master de ldap loglevel 256 Sorry for the long email. JDC

2 1

pwdInHistory question
by Bidwell, Matt 13 May '11

13 May '11

I'm running OpenLDAP 2.5.24 on 2 servers. I'm trying to enforce some security rules on client machines through the ppolicy overlay. All the lockout stuff works fine. I understand that pwdMinLength will not work by design because the password is hashed. I can't get pwdInHistory to work. If I set it to 5 I clearly see 5 pwdHistory entries, all hashed {crypt}, but I can go back and forth between two passwords without it rejecting them for being reused. My current theory is that it's not looking at the actual password to prevent reuse, but the hashed password, which is not going to be the same. Should it be working? Follow up question, shouldn't the password be stored {SSHA} and not {CRYPT} by default? Just to be clear, the password is being set on the client machine using passwd, not on the servers running OpenLDAP. Matt

4 4

Replication OpenLDAP...
by Nguyen, Quoc Khanh 13 May '11

13 May '11

Hi all, I'm setting up a Master and Slave OpenLDAP (ver. 2.4.25) use Replication method following https://help.ubuntu.com/community/OpenLDAPServer. When i used slapdcat (slapdcat -l master_dump.ldif), I got a messeage: root@ldap:/usr/local/openldap/sbin# ./slapcat -l master_dump.ldif /usr/local/openldap/etc/openldap/slapd.conf: line 89: keyword is obsolete (ignored) /usr/local/openldap/etc/openldap/slapd.conf: line 91: keyword is obsolete (ignored) bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/openldap/var/openldap-data: (2). Expect poor performance for suffix "dc=abc,dc=com". bdb_monitor_db_open: monitoring disabled; configure monitor database to enable What i'm doing wrong? Please help... My Master slapd.conf is: # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # CA signed certificate and server cert entries: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /var/myCA/cacert.crt TLSCertificateFile /var/myCA/master_ldap_crt.pem TLSCertificateKeyFile /var/myCA/master_ldap_key.pem # Use the following if client authentication is required #TLSVerifyClient demand # ... or not desired at all TLSVerifyClient never ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=abc,dc=com" rootdn "cn=rootldap,dc=abc,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw 123456789 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/openldap/var/openldap-data # Indices to maintain index objectClass eq index uid eq index cn,gn,mail eq,sub index sn eq,sub index ou eq replogfile /usr/local/openldap/var/openldap-data/replogfile replica uri="ldaps://mail1.abc.com" starttls=yes bindmethod=simple binddn="cn=rootldap,dc=abc,dc=com" credentials="123456789" My Slave slapd.conf is similar configuraion to the Master Server... *********************************** EVERYTHING HAS JUST BEGUN...

1 0

Getting more info from ldap_auth in case of a quiet failure?
by a z 12 May '11

12 May '11

Hi everyone, I am definitely new to the list, openLDAP, Ldap in general, nssswitch, shadow, samba etc, but heck, we all have to start somewhere. Not really -that- new to application code, but yeah, I'm kinda young and working at an amateur/unemployed small business level, so by default yeah .. technical noob alert... I am having problems finding out why domain login is failing: Up until now I have had pretty good luck being able to figure out how to, for example, Get Ldap and nsswitch running well enough that ldap authenticates my ssh sessions against shadow.. Get a valid sambaSID or objectClass: sambaSamAccount into an ldif without relying on the smbldap_tools library, or writing new acls to put the samba domain admin in a different ou=. (This is why I am trying to work around smbldap_tools, of course I could probably change the UID) I have been through slapd.conf loglevel -1 all day long watching it request attributes that weren't in the ldif, I cannot see yet where in smbldap_tools it decides it needs root's uid, but it goes ahead and uses it to write updates even though there is another user with write access to the right attributes) I can join windows machines to the samba workgroup MYDOMAIN, and be given an opportunity to login to the samba server, so despite the weird unupported things I do, perhaps senselessly, I -think- I have the premise correct.. So I think this is failing on a bdb_index_read: failed (-30988) report. If anyone is still with me, thanks a ton. Before I go nuts enough to post the parts of slapd logging output I am pretty sure are okay, this is what the probable problems are: It just seems that uid=testuser and objectClass=sambaSamAccount should match this con=1011 string and the next time it fails it should be for the next problem Ill have, and not this one. May 14 00:13:34 localhost slapd[30055] => conn=1011 op=3 SRCH base="dc=MYDOMAIN,dc=com" scope=2 deref=0 filter="(&(uid=testuser)(objectClass=sambaSamAccount))" . . . May 13 00:13:34 localhost slapd[30055]: => slap_access_allowed: search access granted by read(=rscxd) May 13 00:13:34 localhost slapd[30055]: => access_allowed: search access granted by read(=rscxd) May 13 00:13:34 localhost slapd[30055]: search_candidates: base="dc=MYDOMAIN.dc=com" (0x00000001) scope=2 . . . May 13 00:13:34 localhost slapd[30055]: <= bdb_index_read: failed (-30988) and of course, the ldif I think it should be matching: dn: cn=testuser,ou=People,dc=MYDOMAIN,dc=com changetype: add objectClass: inetOrgPerson sn: testuser uid: testuser sambaSID: S-1-5-21-28598429-1396753209-3957328313-513 objectClass: sambaSamAccount sambaDomainName: MYDOMAIN Again, thanks. I look forward to seeing the list traffic every day, and yet more slapd -1 logs -- ⎼⎺⎺├@┼␊├├≤-␍⎼␊▒␍:/␤⎺└␊/⎼␤⎺#

1 0

Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
by Nick Milas 12 May '11

12 May '11

Hi, We've been using for several months PowerDNS Authoritative Server v9.22 with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting our organization's domains (and reverse zones) and it has been working fine (low query times, reliable etc.) so we enjoy having all our organization's data stored/maintained in the same DIT in LDAP. However, as PowerDNS Authoritative Server is preparing for the next version (3.0), it seems that the LDAP backend will be unmaintained (see: http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html) as the LDAP backend developer is no more working on it (see: http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html). It has been alleged (see ref. above) that "We don't think that LDAP is a particularly good or interesting place to store DNS data. It will for example have big problems with PowerDNSSEC because of lack of ordering." Moreover, PowerDNS LDAP backend (although current open bugs are very few and of relatively low severity) lacks features (e.g. Notify, which we implement using custom script, cron and notify-dns-slaves, see: http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html) and is not being evolved any more. Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do not seem very well maintained either. In any case we prefer PowerDNS approach where backend implementation is cleaner and direct. So, my questions: * From the above and your experience, do you consider LDAP should not be preferred as DNS backend? * Should LDAP be avoided as a DNS/DNSSEC backend? * Would any companies / developer(s) from the OpenLDAP world - perhaps already using or interested in using DNS with LDAP backend - would be willing to devote some time to fix a couple of small bugs and keep the very well-designed and developed PowerDNS LDAP backend in shape? We could even start some community donation effort (to support this development), but I don't know if there is sufficient usage/interest in the LDAP backend that would generate enough funds. In essence, should we drop LDAP as a DNS Record datastore, due to the lack of a properly maintained backend and/or unsuitability for (e.g. DNSSEC) evolution, or you think there IS interest for the maintenance / evolution of the LDAP backend by the OpenLDAP developers/community (even by becoming more openldap-oriented rather than being cross-platform)? Best Regards, Nick

6 22

[Q] objectClass mapping data of back_sql for RFC2307
by Hiroyuki Sato 12 May '11

12 May '11

Dear lists. Could you please tell me the following. Does anybody tried to create objectClass mapping data of back_sql for RFC2307?? Especially, posixAccount and posixGroup. I would like to use SQL Database to store account informations of LDAP. Sincerely. -- Hiroyuki Sato.

1 0

Xymon syncrepl monitoring
by Johan Karlsson 12 May '11

12 May '11

Hi! While looking for OpenLDAP monitoring solutions, i found Buchan's Xymon/Hobbit script at http://staff.telkomsa.net/~bgmilne/xymon/ol/ I saw some previous discussion about it on this list so I thought I'd give it a shot. I'm wondering how it determines a syncrepl slave, cause when I added the test in Xymon on my syncrepl slave I get "Not a syncrepl slave". The graphs and counters are working though. Regards, Johan

2 2

Search by customized attribute in OpenLdap
by JOSE L MARTINEZ-AVIAL 11 May '11

11 May '11

Hi, I've installed OpenLdap, and defiened the following schema: attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) objectclass ( 1.2.840.113556.1.5.6 NAME 'securityPrincipal' SUP top AUXILIARY MUST (sAMAccountName ) MAY (mail)) I've created an entry as follows: dn: cn=John Smith,ou=External Users,dc=xxx,dc=yyy,dc=com cn: John Smith objectClass: person objectClass: securityPrincipal mail: test(a)test.com sn: Smith userPassword: myPassword sAMAccountName: smith Then I try to get the entry looking for (sAMAccountName='smith'), but it doesn't work. If I look for (cn='John Smith') it founds the entry. So what do I need to do in order to be able to search by sAMAccountName? Thanks Jose

1 0

Re: Not able start TLS.
by Meghanand Acharekar 11 May '11

11 May '11

Sorry for the spelling mistake using /usr/local/libexec/slapd -s 256 -h "ldaps:///" And getting the error "daemon: TLS not supported (ldaps:///)" is syslog, I have searched mailing list, the one possible reason mentioned was "openldap is not compiled with TLS support" but I have verified this using ldd. ldd /usr/local/libexec/slapd linux-vdso.so.1 => (0x00007fff1f7ff000) libdb-4.7.so => /usr/lib/libdb-4.7.so (0x00007f80960b4000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007f8095e98000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f8095c7e000) libdl.so.2 => /lib/libdl.so.2 (0x00007f8095a7a000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f8095843000) libresolv.so.2 => /lib/libresolv.so.2 (0x00007f809562c000) libwrap.so.0 => /lib/libwrap.so.0 (0x00007f8095423000) libc.so.6 => /lib/libc.so.6 (0x00007f80950c2000) /lib64/ld-linux-x86-64.so.2 (0x00007f8096428000) libnsl.so.1 => /lib/libnsl.so.1 (0x00007f8094ea9000) I'm not sure whether the problem in certificates could be the reason for this. In my slapd.conf I've following lines related to TLS. TLSCACertificateFile /usr/local/etc/openldap/ca-bundle.crt TLSCertificateFile /usr/local/etc/openldap/slapd.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd.pem Regards, Meghanand N. Acharekar On Tue, May 10, 2011 at 8:50 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, May 10, 2011 4:56 PM +0530 Meghanand Acharekar < > vasco.debian(a)gmail.com> wrote: > > using /usr/local/libexec/slapd -s 256 -h "ldap:///" >> daemon: TLS not supported (ldaps:///) >> > > You didn't tell slapd to start with ldaps:///, you told it to start with > ldap:///. What exactly is the question? > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 3

Confused about SASL behavoir
by Ski Kacoroski 10 May '11

10 May '11

Hi, I have a black box windows app that I was able to get working with SASL authentication. I am now doing some additional testing so I want to get the SASL auth working from ldapsearch for testing, but am not able to. My details are: Running openldap 2.4.23 on debian. slapd.conf SASL section is: password-hash {CLEARTEXT} sasl-host ldap.nsd.org sasl-realm OL.NSD.ORG authz-regexp uid=(.*),cn=OL.NSD.ORG,cn=digest-md5,cn=auth uid=$1,ou=people,dc=nsd,dc=org authz-regexp uid=(.*),cn=digest-md5,cn=auth uid=$1,ou=people,dc=nsd,dc=org When the windows app connects I get in the logs: 1 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org 2 SASL Canonicalize [conn=1003]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org" 3 => bdb_search 4 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org") 5 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef) 6 slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined 7 send_ldap_result: conn=1003 op=2 p=3 8 send_ldap_result: err=0 matched="" text="" 9 SASL Canonicalize [conn=1003]: authzid="ckacoroski" 10 SASL proxy authorize [conn=1003]: authcid="ckacoroski(a)OL.NSD.ORG" authzid="ckacoroski(a)OL.NSD.ORG" 11 conn=1003 op=2 BIND authcid="ckacoroski(a)OL.NSD.ORG" authzid="ckacoroski(a)OL.NSD.ORG" When I connect with ldapsearch -Y DIGEST-MD5 -U ckacoroski -h ldapm '(objectclass=*)' I get in the logs: 12 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org 13 SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org" 14 => bdb_search 15 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org") 16 => bdb_dn2id("ou=people,dc=nsd,dc=org") 17 <= bdb_dn2id: got id=0x2 18 => bdb_dn2id("uid=ckacoroski,ou=people,dc=nsd,dc=org") 19 <= bdb_dn2id: got id=0xef 20 entry_decode: "uid=ckacoroski,ou=People,dc=nsd,dc=org" 21 <= entry_decode(uid=ckacoroski,ou=People,dc=nsd,dc=org) 22 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef) 23 bdb_search: 239 does not match filter 24 send_ldap_result: conn=1000 op=1 p=3 25 send_ldap_result: err=0 matched="" text="" 26 SASL Canonicalize [conn=1000]: authzid="ckacoroski" 27 SASL [conn=1000] Failure: no secret in database It seems to break at line 23 and 27. I am not sure what is different about how the windows app and ldapsearch use SASL, but something sure is :). So my question is how do I get ldapsearch to work using SASL? Thanks in advance for your help. cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, ckacoroski(a)nsd.org, 206-501-9803 or ski98033 on most IM services

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2011