userPassword
by Friedrich Locke
What does
userPassword: {SASL}xxx(a)MY.DOMAIN
mean?
Thanks a lot.
12 years, 5 months
I cannot auth against SASL
by Friedrich Locke
Hi!
i am trying to authenticate binding the DN below and it works nicely.
dn: uid=grios,ou=people,dc=ufv,dc=br
uid: grios
objectclass: organizationalrole
objectclass: posixaccount
cn: Gustavo Rios
uidnumber: 2000
gidnumber: 2000
homedirectory: /home/grios
userpassword: {SSHA}dWhcPjgDn4EGb/FwGMYbxx7fIqAuXCN7
loginshell: /bin/sh
gecos: Gustavo V G C Rios,,,
But if i change userpassword attribute to {SASL}grios(a)UFV.BR it does
not work when i bind the same DN above.
Does anybody have an ideia about my mistaken ?
Thanks in advance.
12 years, 5 months
i am desperated: authentication without success
by Friedrich Locke
Hi folks,
i am trying to search my base tree but i am not able to connect due to
"invalid credentials (49)". It seems very confusing because i am sure
i am using the correct password.
sioux@gustav$ ldapsearch -w $my_pass -D
uid=grios,ou=people,dc=ufv,dc=br -b 'dc=ufv,dc=br' -s one
ldap_bind: Invalid credentials (49)
sioux@gustav$
The entry's ldif whose rdn is uid=grios is:
dn: uid=grios,ou=people,dc=ufv,dc=br
uid: grios
objectclass: organizationalrole
objectclass: posixaccount
cn: Gustavo Rios
uidnumber: 2000
gidnumber: 2000
homedirectory: /home/grios
userpassword: {SASL}grios(a)ufv.br
loginshell: /bin/sh
gecos: Gustavo V G C Rios,,,
I am monitoring heimdal kerberos log file and cyrus-sasl log file too.
Nothing is shown there. I DON'T really have any ideia on my mistaken.
May you please help me?
Kind regards.
Fried.
12 years, 5 months
slaptest returns "index attribute "reqStart" undefined
by Mike Greene
Hello list members,
I am trying to setup ldap 2.4.23 on new FreeBSD 8.2 "consumer" server to replace a current system that is quite old. I have copied over the slapd.conf file and associated certs, etc from the production system and I'm able to get the server working using the sample slapd.conf and examples in the quick setup guide. When I run slaptest -f slapd.conf.artemis on the configuration file I copied over I get the error:
slapd.conf.artemis: line 86: index attribute "reqStart" undefined
slaptest: bad configuration file!
Running the same test on the production server's slapd.conf produces no error at all.
I've googled, RTFM and read man pages trying to get a clue as to what might be causing this, but I'm unable to unearth any leads that have helped so far. What I have tried is to copy the production *.bdb files over to the new server thinking that was the problem, I didn't try re-indexing those files (just read about slapindex late last night, so haven't tried that yet) I was also thinking that I might need to run slapcat on the production db's and then import the ldif file using slapadd (which I'm setting up to test shortly).
Clearly I'm missing something, I'm hoping that someone here who is much more adept at LDAP can suggest some additional things to try. Below is what I think are the relevant portions of the slapd.conf file, which shows the section the slaptest complains about, the second section is our replication area which I believe is directly related to the replication process.
database bdb
suffix cn=accesslog
directory /usr/local/var/db/openldap-accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqStart,reqResult,reqEnd
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
I'm trying to bootstrap my Sys Admin skills (after a 12 year absence) due to the sudden loss of my long time admin, with mixed results! Time will tell, appreciate any suggestions you might have to get me past this particular issue.
Mike Greene
Rock Island Technology Solutions, Inc.
San Juan Islands, WA. 360-378-5884 x201
12 years, 5 months
slapo-memberof across proxy
by Hugo Monteiro
Hello list,
With this type of setup,
Client (A) <-----> back_ldap Proxy (B) <-----> syncrepl Slave (C)
<-----> Master (D)
I have configured the memberof overlay on both (C) and (D). I am able to
query both (C) and (D), either to specifically retrieve the memberof
attribute or to perform a query which filter is based on the memberof
attribute. All works fine with (C) and (D)
If i issue the same type of queries from (A) to (B), i'm able to
retrieve the memberof attribute alright *BUT* i cannot perform searches
which contain the memberof attribute on the query filter.
Does (B) need any special configuration so that back_ldap can cope with
the memberof overlay available on the backend servers?
Thanks in advance,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
12 years, 5 months
Re: protected entry
by Friedrich Locke
To which objectclass should the entry belongs to ?
What about access rules ?
Thanks
On Wed, Jun 29, 2011 at 8:14 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, June 29, 2011 8:00 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Dear list users,
>>
>> i would like to have an entry in my openldap server thats needs to
>> have a password so that it would be able to permit clients to bind as
>> it providing its password.
>> For instance: cn=x,ou=y,dc=a,dc=b
>> So anyone knowing "cn=x,ou=y,dc=a,dc=b" 's password could bind as it.
>
> Add a userPassword value to that entry.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
12 years, 5 months
ldap root disable su
by Arif Ali
Hi list,
I have used ldap for a while now, and we are currently looking at some
security options for users to not to be able to hack the ldap system
what we want is that for anyone who is root not to be able to su to any ldap
user.
Is there anything in the slapd.conf that can be configured to do that
Arif Ali
catch me on freenode IRC, username: arif-ali
12 years, 5 months
OpenLDAP mirror replication ldif format
by Simon Massart
Hi there,
I recently installed a new Debian 6 and OpenLDAP to test the new ldif format
configuration.
The problem is that I do not have any base configuration to use slaptest to
migrate my config to ldif format.
My main concern is now to find a manual/tutorial, to be able to setup a
mirror replication with ldif format, because all I can find is using the old
slapd.conf.
Can anyone point me somewhere, where I could find some help or give my a
quick example ?
Thanks in advance for any return,
Sismon
12 years, 5 months
bad credential
by Friedrich Locke
I upload the ldif file below into my openldap server:
dn: dc=ufv,dc=br
dc: ufv
objectclass: dcobject
objectclass: organization
o: Universidade Federal de Vicosa
dn: ou=group,dc=ufv,dc=br
ou: group
objectclass: top
objectclass: organizationalunit
dn: cn=its,ou=group,dc=ufv,dc=br
cn: its
objectclass: posixgroup
gidnumber: 1000
dn: cn=asd,ou=group,dc=ufv,dc=br
cn: asd
objectclass: posixgroup
gidnumber: 1001
memberuid: sioux
dn: cn=dba,ou=group,dc=ufv,dc=br
cn: dba
objectclass: posixgroup
gidnumber: 1002
memberuid: sioux
dn: cn=wbx,ou=group,dc=ufv,dc=br
cn: wbx
objectclass: posixgroup
gidnumber: 1003
dn: cn=alg,ou=group,dc=ufv,dc=br
cn: alg
objectclass: posixgroup
gidnumber: 1004
memberuid: sioux
dn: cn=djb,ou=group,dc=ufv,dc=br
cn: djb
objectclass: posixgroup
gidnumber: 1005
dn: cn=nofiles,ou=group,dc=ufv,dc=br
cn: nofiles
objectclass: posixgroup
gidnumber: 1006
dn: cn=qmail,ou=group,dc=ufv,dc=br
cn: qmail
objectclass: posixgroup
gidnumber: 1007
dn: cn=ftp,ou=group,dc=ufv,dc=br
cn: ftp
objectclass: posixgroup
gidnumber: 1008
dn: cn=src,ou=group,dc=ufv,dc=br
cn: src
objectclass: posixgroup
gidnumber: 1009
dn: cn=ord,ou=group,dc=ufv,dc=br
cn: ord
objectclass: posixgroup
gidnumber: 2000
dn: cn=adc,ou=group,dc=ufv,dc=br
cn: adc
objectclass: posixgroup
gidnumber: 2001
dn: cn=bod,ou=group,dc=ufv,dc=br
cn: bod
objectclass: posixgroup
gidnumber: 2002
dn: cn=frn,ou=group,dc=ufv,dc=br
cn: frn
objectclass: posixgroup
gidnumber: 2003
dn: ou=people,dc=ufv,dc=br
ou: people
objectclass: top
objectclass: organizationalunit
dn: uid=sioux,ou=people,dc=ufv,dc=br
uid: sioux
objectclass: organizationalrole
objectclass: posixaccount
cn: Gustavo Rios
uidnumber: 1000
gidnumber: 1000
homedirectory: /home/sioux
userpassword: {SASL}sioux(a)UFV.BR
loginshell: /bin/sh
Gecos: Gustavo V G Coelho Rios,,,
But when i try the command below, i get invalid credential
sioux@gustav$ ldapsearch -x -W -D 'uid=sioux,ou=people,dc=ufv,dc=br'
-b dc=ufv,dc=br
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
sioux@gustav$
And when i try:
$ ldapsearch -Y GSSAPI -b dc=ufv,dc=br
it works perfectly.
Any ideia about why it does not work ?
12 years, 5 months
autofs wild cards
by Collins, Cris
My auto.home has "* host:/export/&" for user directories. When I use
the automount migration tool the * is changed to / and I get the error:
adding new entry "cn=/,ou=auto.home,dc=domain,dc=com"
ldapadd: Naming violation (64)
additional info: value of naming attribute 'cn' is not
present in entry
Is there a way to get the wild card to work or do I need to enter each
user instead of using a wild card?
Thank you for your time.
12 years, 5 months