looking for entires with objectclass=glue
by Andreas Haubod
Hello,
I've running two ldap server using N-Way multimaster replication. I want find all objects with "objectclass=glue".
If
I use JXEplorer to search "objectclass=glue" I get 136 entries back.
If I use ldapsearch or Apache DS and do the same, no entries are found.
In the slapcat backup from the ldap server the entires with objectclass: glue exists.
So I turned "loglevel 256" in the slapd.conf. I got for JXEplorer and ldapsearch the same search:
JXEplorer:
slapd[23362]: conn=1001 op=7 SRCH base="ou=root" scope=2 deref=3 filter="(objectClass=glue)"
slapd[23362]: conn=1001 op=7 SRCH attr=objectClass
slapd[23362]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=136 text=
ldapsearch:
slapd[23362]: conn=1004 op=1 SRCH base="ou=root" scope=2 deref=3 filter="(objectClass=glue)"
slapd[23362]: conn=1004 op=1 SRCH attr=objectclass
slapd[23362]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
How can I get the glue entires via ldapsearch?
Thanks Andreas
10 years, 11 months
ppolicy in Solaris 10
by Wynand Jansen van Vuuren
My slapd.conf file is as follow
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
# moduleload /usr/local/libexec/openldap/ppolicy.so
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
and
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=rorotika,dc=com"
ppolicy_use_lockout
When I start slapd in debug with d 255, I get the following "error"?
ine 21 (loglevel 4)
line 22 (pidfile /usr/local/var/run/slapd.pid)
line 23 (argsfile /usr/local/var/run/slapd.args)
line 26 (modulepath /usr/local/libexec/openldap)
line 27 (moduleload ppolicy.la)
loaded module ppolicy.la
module ppolicy.la: null module registered
line 65 (access to dn.base="" by * read)
>>> dnNormalize: <>
<<< dnNormalize: <>
Backend ACL: access to dn.base=""
by * read
The line that consern me is "module ppolicy.la: null module
registered", is this a problem? The ppolicy does not seen to
overlay... It seems that the Solaris 10 settings is still valid, for
example
It seems that this policy is not activated, for example the
pwdMinLength: is set to 3, but when the user changes his/her password,
it seems that the Solaris policy takes over from the
/etc/default/passwd file
test5:/ $ ssh admin777(a)10.1.1.5
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password:
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
New Password:
test5:/ $ cat /etc/default/passwd
#ident @(#)passwd.dfl 1.7 04/04/22 SMI
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8
# NAMECHECK enables/disables login name checking.
Could someone point me in the right direction please?
10 years, 11 months
Database indexing: use of slapindex
by anax
Hi listers
Installation here:
openldap-servers-2.4.15-7.fc11.i586
One master server, two backup servers (syncrepl).
All authentication and mailing is managed through ldap.
1. About indexing:
When i check the slapd-log, i see many
<= bdb_equality_candidates: (uidNumber) not indexed
<= bdb_equality_candidates: (gidNumber) not indexed
In the discussion about slapd tuning
http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read
that if each entry in a certain set of ldap-entries has got the
candidate-attribute, it is not worth while to index the attribute,
because slapd needs to read each entry in any case in order to find the
requested one. this is the case for uidNumber as well as gidNumber,
because both are compulsory attributes for objectClass posixAccount.
My first question:
is it therefore correct to disregard the above indexing requests of slapd?
2. About slapindex:
When it comes to use slapindex, the docu is not clear about how to do
that. Some places say, that you need to stop slapd entirely, some places
say that it is sufficient to put slapd in read-only mode for the
corresponding background database, which in this case would be
/etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
this file contains both the olcReadOnly and the olcDbIndex attributes.
So i could just add the following two lines in the above file:
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
set the olcReadOnly attribute to TRUE, and restart slapd, and everything
would be done automatically?
Or would i need to invoke slapindex additionally with the following command
slapindex -c
And if i had to start slapindex additionally, would slapindex tell me,
that the database is in read-only mode, so no changes are possible, not
even index changes?
And, if i had to start slapindex additionally, i would do it as root.
the files generated by slapindex would they be owned by root
(inaccessible by slapd) or by the slapd user?
Would the new indexes be propagated to the backup servers by syncrepl
automatically? If not, what would i have to change on the backup servers?
Thank you for your attention
suomi
10 years, 11 months
Database indexing: slapindex
by openldap@ayni.com
Hi listers
Installation here:
openldap-servers-2.4.15-7.fc11.i586
One master server, two backup servers (syncrepl).
All authentication and mailing is managed by ldap.
1. About indexing:
When i check the slapd-log, i see many
<= bdb_equality_candidates: (uidNumber) not indexed
<= bdb_equality_candidates: (gidNumber) not indexed
In the discussion about slapd tuning http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read that if each entry in a certain set of ldap-entries has got the candidate-attribute, it is not worth while to index the attribute, because slapd needs to read each entry in any case in order to find the requested one. this is the case for uidNumber as well as gidNumber, because both are compulsory attributes for objectClass posixAccount.
My first question:
is it therefore correct to disregard the above indexing requests of slapd?
2. About slapindex:
When it comes to use slapindex, the docu is not clear about how to do that. Some places say, that you need to stop slapd entirely, some places say that it is sufficient to put slapd in read-only mode for the corresponding background database, which in this case would be
/etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
this file contains both the olcReadOnly and the olcDbIndex attributes.
So i could just add the following two lines in the above file:
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
set the
olcReadOnly attribute to TRUE,
and restart slapd, and everything would be done automatically?
Or would i need to invoke slapindex additionally with the following command
slapindex -c
And if i had to start slapindex additionally, would slapindex tell me, that the database is in read-only mode, so no changes are possible, not even index changes?
And, if i had to start slapindex additionally, i would do it as root. the files generated by slapindex would they be owned by root (inaccessible by slapd) or by the slapd user?
Would the new indexes be propagated to the backup servers by syncrepl automatically? If not, what would i have to change on the backup servers?
Thank you for your attention
suomi
10 years, 11 months
Re: Simple Bind w/TLS without SASL/Kerberos possible to AD?
by David Mitton
Thanks for the reply, sorry about the poor quoting, I'm cut and
pasting from the web archive.
------
From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo(a)gmail.com>
Date: Fri, 8 Jul 2011 08:58:16 -0430
Greetings,
On Thu, Jul 7, 2011 at 4:08 PM, David Mitton <david(a)mitton.com>
wrote:
I am trying to use OpenLDAP from an embedded Linux system to
authenticate (PAM LDAP) against a Windows AD server. I must use
TLS to secure this, but I would rather not use SASL or Kerberos if
possible.
pam_ldap = http://www.padl.com/pam_ldap.html[1] OR
http://arthurdejong.org/nss-pam-ldapd/[2] .... you are not dealing
here with OpenLDAP....
DJM> Good point, I will look at exactly which module(s) I'm using and
> come back to that later. I beleive for the moment I'm using whatever is in
> Centos. I have Arthur Jong's modules as well, but I don't think
> I've installed them yet.
I have been able to mock this up on a Centos system without TLS, and
the PAM worked fine. When I turn on TLS, the Windows server
handshakes the TLS but then has a problem with the first message. I
am also working that side.
I have walked through the handshake with s_client, and the connection
is happy.
I am now working with ldapsearch and trying things....
The first thing I notice is that it seems to try an SASL bind. Can
I stop this?
I'm not sure I have SASL actually installed on this system, and I'm
not sure I want it in my target.
ldapsearch -x <--- does simple auth instead of sasl.
Is this possible? from both the OpenLDAP client and/or Windows AD?
Ideas on the correct alphabet soup to try this with ldapsearch would
be appreciated.
Thanks.
Well, I have seen this done through samba, but you *should* be able
to use AD's LDAP to authenticate your Linux workstation, I guess.
Sincerely,
Ildefonso Camargo
-------
I tried the following command and here are the results... note that
after the simple_bind, a SASL_bind line appears. I'd like to dig
into this deeper.... What will give me more info?
Thanks, Dave.
ldapsearch -d 1 -v -x -H ldaps://172.16.9.3:363 -b
"dc=foobar,dc=local" -D 'FOOBAR\mgr' -w 'Strongpw@09'
'(sAMAccountName=mgr)'
ldap_initialize( ldaps://172.16.9.3:363 )
ldap_create
ldap_url_parse_ext(ldaps://172.16.9.3:363)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.16.9.3:363
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.9.3:363
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
10 years, 11 months
Re: basic login fails : here are some logs ...
by Olivier
I have problem to use my openldap 2.4 server for authentication on a fedora 14 :
it sounds that the problem is on the on the client side configuration.
Here are some logs : your help to diag would be appreciated.
-> I have an ldap server that that stores posixAccount and respond to
ldap queries.
-> I have configure a client machine to use this ldap server for
authentication when login :
***** LOGS ***
**** CLIENT side ****
login: olivier
passe :
Login incorrect
**** SERVER when login on the client ***
Here is what I see on the server side (IP=10.1.92.24) when I try to log in as
"olivier" on the client (10.1.86.93) using /bin/login (debug level 256) :
conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389)
conn=1220 op=0 BIND dn="" method=128
conn=1220 op=0 RESULT tag=97 err=0 text=
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
*** CLIENT When using ldappasswd *****
I manage to change the "userPassword" attributes using ldappasswd command, here
are the logs on the client and server side :
Client side :
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
$ ldappasswd -h -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret
"uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
*** SERVER side When using ldappasswd *****
Server side, here are the logs related to ldapppasswd :
conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389)
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new
conn=1000 op=1 RESULT oid= err=0 text=
conn=1000 op=2 UNBIND
conn=1000 fd=11 closed
Thanks for your help,
----
Olivier
On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard
<olivier(a)guillard.nom.fr> wrote:
> Hello
>
> Here is the result of an ldapsearch on a client host :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
>
> dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
> uid: olivier
> loginShell: /bin/tcsh
> cn: Olivier
> uidNumber: 1130
> gidNumber: 18104
> homeDirectory: /home/olivier
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
>
> I have the same output with this :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier
> "uid=olivier"
>
> Although if I omit the -w I get this :
>
> ldap_bind: Server is unwilling to perform (53)
> additional info: unauthenticated bind (DN with no password) disallowed
>
>
> --->> the openldap server respond.
>
> ================
>
> On the client side (fedora 14), I have followed the documentation to
> set up for ldap authentication when login :
>
> /etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf
> /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/
>
> are configured for the system to query the ldap-master.mydomain.fr
> server for authentication :
>
> in ldap.conf files I have :
>
> uri ldap://ldap-master1.mydomain.fr and
> "rootbinddn cn=Manager,dc=mydomain,dc=fr"
>
> in nsswitch.conf :
> passwd: ldap
> shadow: ldap
>
> and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac
> I have the lines :
>
> auth sufficient pam_ldap.so use_first_pass
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> password sufficient pam_ldap.so use_authtok
> session optional pam_ldap.so
>
> I use no particular security mechanism at this stage at this stage (no
> TLS, simple auth, etc.).
>
> ====
>
> WITH ALL THIS, here is what I get in the logs when I try to login as
> "olivier" on the client machine:
>
> Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server
> ldap://ldap-master1.mydomain.fr: Can't contact LDAP server
> Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server -
> Server is unavailable
>
> Of course, i can't log in.
>
> Any help ??? I'm getting mad...
>
> ( may be could you suggest which debug level I should use on the
> server to try to track what's going on).
>
> Thanks,
>
> ---
> Olivier
>
10 years, 11 months
OpenLPDAP client tools exit codes
by Liam Gretton
Hi,
I've started relying on undocumented exit codes for ldapmodify in places.
These are defined in ldap.h, e.g.:
#define LDAP_CONSTRAINT_VIOLATION 0x13
#define LDAP_TYPE_OR_VALUE_EXISTS 0x14
Presumably these are undocumented for good reason, but in practice can
they be relied on not to change, at least as far as OpenLDAP 2 is
concerned (additional exit codes are obviously not an issue).
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
10 years, 11 months
Recommended strategy for replicating cn=config database
by Jonathan Underwood
Hi,
I currently have a working N-way multimaster setup (where N=2) and am
using sasl/gssapi/kerberos for authenticated binding. I am using the
ldap service principals for each host to authenticate, and this is
working fine for allowing me to replicate databases other than the
cn=config database, where I see the following in the logs:
Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT
Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001
LDAP_RES_SEARCH_RESULT (32) No such object
Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001 (32) No such object
Jul 12 18:28:04 auth1 slapd[4411]: do_syncrepl: rid=001 rc -2 retrying
(29 retries left)
where rid=001 corresponds to the entry:
olcSyncRepl: rid=001
provider=ldap://auth0.domain
bindmethod=sasl saslmech=gssapi
searchbase="cn=config"
type=refreshAndPersist
retry="30 30 300 +" timeout=1
The reason this isn't working is clear: slapd on the consumer is not
binding as the rootdn of the cn=config tree, and so therefore cannot
search that database.
I am not sure what the best fix is for this, particularly from a
security point-of-view. My first thought was to add an ACL to the
cn=config database such as olcAccess: to * by users read by * none,
but this then opens up the cn=config tree to be readable by any
authenticated user, which is somewhat undesirable.
Does anyone have a suggestion as to a good strategy to allow cn=config
replication in this situation?
Thanks in advance,
Jonathan.
10 years, 11 months
LDAP handle structural integrity function
by Khaled Blah
Hallo,
I use OpenLDAP in an authentication project and I would like to
correctly deal with fauly networks. I mean networks that have packet
losses and such.
That is why I would like to know whether there is a function in
OpenLDAP which allows to check (and maybe sanitize) possibly corrupted
sockets associated with the LDAP handle?
Many thanks for all your replies
Regards,
Khaled
10 years, 11 months
ppolicy with Solaris 10
by Wynand Jansen van Vuuren
My slapd.conf file is as follow
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
# moduleload /usr/local/libexec/openldap/ppolicy.so
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
and
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=rorotika,dc=com"
ppolicy_use_lockout
When I start slapd in debug with d 255, I get the following "error"?
ine 21 (loglevel 4)
line 22 (pidfile /usr/local/var/run/slapd.pid)
line 23 (argsfile /usr/local/var/run/slapd.args)
line 26 (modulepath /usr/local/libexec/openldap)
line 27 (moduleload ppolicy.la)
loaded module ppolicy.la
module ppolicy.la: null module registered
line 65 (access to dn.base="" by * read)
>>> dnNormalize: <>
<<< dnNormalize: <>
Backend ACL: access to dn.base=""
by * read
The line that consern me is "module ppolicy.la: null module
registered", is this a problem? The ppolicy does not seen to
overlay... It seems that the Solaris 10 settings is still valid, for
example
It seems that this policy is not activated, for example the
pwdMinLength: is set to 3, but when the user changes his/her password,
it seems that the Solaris policy takes over from the
/etc/default/passwd file
test5:/ $ ssh admin777(a)10.1.1.5
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password:
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
New Password:
test5:/ $ cat /etc/default/passwd
#ident @(#)passwd.dfl 1.7 04/04/22 SMI
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8
# NAMECHECK enables/disables login name checking.
Could someone point me in the right direction please?
10 years, 11 months