June 2011 - openldap-technical

by Nanoic Dalflanlun

I'm still seeking assistance. Something I noticed is that slapd appears to be ignoring the logging detail parameter regardless of whether I run it on Windows or CentOS. I tried setting the detail level to "any" and never had anything logged. Thanks, Nanoic ---------- Forwarded message ---------- From: Nanoic Dalflanlun <nanoic(a)gmail.com> Date: Tue, May 17, 2011 at 7:40 PM Subject: Restricted Active Directory Proxy for SaaS Vendors To: openldap-technical(a)openldap.org I am trying to setup an OpenLDAP server in my DMZ to proxy requests from Software as a Service vendors to my internal Active Directory domain. Specifically, I want to disallow anonymous access; make access read only; and restrict access to return only displayName, distinguishedName, mail, proxyAddresses, member, memberOf, mailNickname, and homeMDB. I also need to provide authentication capability for single sign on at the vendor. I don't think I have a proper understanding of OpenLDAP's ACLs, yet, so I am probably missing some things. I may even be approaching this completely wrong. I suspect I need to add "auth" access somewhere. Currently, I receive "result: 50 Insufficient access" when I try to query the OpenLDAP server. I don't have an authentication trace yet from the SaaS vendor, but it if it work like Cisco Ironport, it will try to bind to the LDAP server using the user's supplied credentials and look for a success, then switch back to using the LDAP query account. Thanks for any assistance, Nanoic -------------------------Begin slapd.conf------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/saas.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/openldap.log loglevel none #Disallow anonymous binds disallow bind_anon #### Define access to Active Directory database ldap # Set proxy to read-only readonly on suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rebind-as-user #List domain controllers to access. ldap for non-SSL/debug & ldaps for SSL/production uri "ldap://DomainController1" uri "ldap://DomainController2" lastmod off # set chase-referrals to no to keep from querying all DCs chase-referrals no ### access lists # Allow defined access to Active Directory, deny all others. access to dn.subtree="dc=example,dc=com" attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB by dn.exact="CN=saasqueryacct,OU=Service Accounts,DC=example,DC=com" read by * none # Deny access to all undefined resources by all undefined users access to * by * none -------------------------End slapd.conf------------------------- -------------------------Begin saas.schema------------------------- attributetype ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) attributetype ( 1.2.840.113556.1.2.244 NAME 'homeMDB' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) attributetype ( 1.2.840.113556.1.2.447 NAME 'mailNickname' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -------------------------End saas.schema-------------------------

11 years, 9 months

2
1
0 / 0

Re: Compiling OpenLDAP against static OpenSSL libraries

by The Uhu

Is there an IF statement missing in configure? Line 19408 specifies that RSAglue and rsaref libraries should be used without verifying whether they are needed. LIBS="-lssl -lcrypto -lRSAglue -lrsaref $LIBS" Changing this to check for rsaref would stop configure failing when using the newer versions of OpenSSL that no longer support rsaref. P. The Uhu <the_uhu(a)hotmail.com> wrote: Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command. >CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include" >./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl >Configuring OpenLDAP 2.4.23-Release ... >checking build system type... sparc-sun-solaris2.10 >checking host system type... sparc-sun-solaris2.10 >checking target system type... sparc-sun-solaris2.10 >... >(other checks) >... >checking struct sockaddr_storage... yes >checking sys/un.h usability... yes >checking sys/un.h presence... yes >checking for sys/un.h... yes >checking openssl/ssl.h usability... yes >checking openssl/ssl.h presence... yes >checking for openssl/ssl.h... yes >checking for SSL_library_init in -lssl... no >checking for ssl3_accept in -lssl... no >configure: error: Could not locate TLS/SSL package The Uhu <the_uhu(a)hotmail.com> wrote: Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

11 years, 9 months

1
0
0 / 0

Re: Compiling OpenLDAP against static OpenSSL libraries

by The Uhu

Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command. >CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include" >./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl >Configuring OpenLDAP 2.4.23-Release ... >checking build system type... sparc-sun-solaris2.10 >checking host system type... sparc-sun-solaris2.10 >checking target system type... sparc-sun-solaris2.10 >... >(other checks) >... >checking struct sockaddr_storage... yes >checking sys/un.h usability... yes >checking sys/un.h presence... yes >checking for sys/un.h... yes >checking openssl/ssl.h usability... yes >checking openssl/ssl.h presence... yes >checking for openssl/ssl.h... yes >checking for SSL_library_init in -lssl... no >checking for ssl3_accept in -lssl... no >configure: error: Could not locate TLS/SSL package The Uhu <the_uhu(a)hotmail.com> wrote: Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

11 years, 9 months

1
0
0 / 0

Compiling OpenLDAP against static OpenSSL libraries

by The Uhu

Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

11 years, 9 months

1
0
0 / 0

Re: Combining dynlist + memberOf overlay?

by Gerry Calderhead

Failed to send yesterday, re-trying. On 1 June 2011 10:37, Gerry Calderhead <gerry(a)everythingsucks.co.uk> wrote: > Greetings, > > What we're trying to achieve is: > > Multiple organisations (Company, ThirdParty). > Groups, under each organisation, where their members can be added to gain > access to tools (such as JIRA). > dynlist aggregates membership of organisations groups into a "super" > group of all users with access to tools. > > e.g. all_jira_users = Company.jira_users + ThirdParty.jira_users > > We use a dynlist to acheive this. > > However we are unable to perform a search for memberOf=<dynlist>. > > Should this work or are we flogging a dead horse? > Can it be achieved by another standard-ish mechanism? > > Wisdom gratefully received. > > G > > > > > > > >

11 years, 9 months

1
0
0 / 0

Setting idletimeout based upon bind DN

by Mark

Is there a way to set idletimeout based upon bind DN (like the limits config option). I'd like to set an idletimeout to drop connections no longer in use, but I don't want to affect my refreshAndPersist syncrepls. Thank you, Mark

11 years, 9 months

2
2
0 / 0

Client expects response to change-password extended operation

by Michael Smith

I noted some old correspondence about this topic in the mailing-list archives, but now it has bitten me. We have an email server in my shop (from Mirapoint) which offers users an option to change their password. It sends the password-modify extended operation, but the user's session hangs, apparently unless Mirapoint gets a response. I understand that this is non-standard behavior. But unfortunately I'm stuck with this not-very-satisfactory product. Is there any way I can tweak openLDAP to respond to the password-modify ex-op? -- -- Michael J. Smith mjs(a)smithbowen.net http://stopmebeforeivoteagain.org http://www.cars-suck.org http://fakesprogress.blogspot.com

11 years, 9 months

3
2
0 / 0

slapo-rwm to change userPassword attribute into a string

by Lucio Capuani

That is, in OpenLDAP the userPassword attribute is binary, even when its content is cleartext. I would need to have an extra attribute of "String" type, containing that very password. Is it possible to achieve this by using slapo-rmw (or maybe translucent?), by creating a view that "offers" that "fake" string attribute, rather than being forced to duplicate the real source attribute into a second one, only differently encoded? Thank you so much, -- Lucio

11 years, 9 months

1
1
0 / 0

Valid reasons to choose OpenLDAP over Oracle Directory Server for Linux clients?

by Pieter Baele

Right now, our primary LDAP systems are Sun Directory Server and AD. All Solaris boxes connect to the Directory Server, but isn't it better to set up seperate OpenLDAP servers for a Linux environment? I am also thinking about customisation. For example, integration with krb, puppet.... Greetings, Pieter Baele

11 years, 9 months

2
1
0 / 0

Should Berkeley DB backends be reloaded occasionally?

by Mark

Back in the days of OpenLDAP 2.1 with Berkeley DB 4.1.25.3 we used to have to 'reload' out backend database occasionally as non-indexed reads would get slower and slower over time. The 'reload' entailed: - stop slapd - slapcat the contents to an .ldif file - remove the database files - slapadd the .ldif file to create a new, fresh db instance - start slapd Then our performance problems went away. Re-indexing didn't do the trick. Is such occasional re-building of the backend database recommended in OpenLDAP 2.4.25 with Berkeley DB 4.8.30? Thank you, Mark

11 years, 9 months

4
6
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011