openldap-technical July 2011

openldap-technical@openldap.org

80 participants
92 discussions

Start a nNew thread

exact/base
by Friedrich Locke 08 Jul '11

08 Jul '11

Hi, may someone here explain me the difference between dn.exact and dn.base ? Thanks in advance.

3 4

limits
by Friedrich Locke 08 Jul '11

08 Jul '11

Hi, i have setted some limits in slapd.conf: limits dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384 limits dn.one="ou=people,dc=ufv,dc=br" time=4 size=1 But my log shows: /etc/openldap/slapd.conf : line 80: deprecated "one" style "limits <pattern> <limits>" line; use "onelevel" instead. The error message is showed only for limits definition. My access rules uses "one" and i get no complains in the log file, why? Thanks in advance.

2 1

Simple Bind w/TLS without SASL/Kerberos possible to AD?
by David Mitton 08 Jul '11

08 Jul '11

I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible. I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side. I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target. Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks.

3 2

translucent proxy question
by Conger,Keith 07 Jul '11

07 Jul '11

Hi, Does anyone now if its possible to write changes through a translucent proxy to the back ldap server its in front of? Every time I try an add or remove it does it against the translucent database. The account I'm using exists on the back ldap server with the proper rights to modify attributes. After much searching I can't seem to find an answer. Thanks in Advance Keith -- Keith Conger

1 0

ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)
by Fabien COMBERNOUS 07 Jul '11

07 Jul '11

Hi There, I have an openldap master (hosted by server) and an openldap replica (hosted by replica). Authentication use SASL/GSSAPI with kerberos. On the master i get the following output : server:~ admin$ kinit root Please enter the password for root(a)SERVER.LAN: server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80) On the replica all looks fine : replica:~ admin$ kinit root Please enter the password for root(a)SERVER.LAN: server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan SASL/GSSAPI authentication started SASL username: root(a)SERVER.LAN SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=mounts,dc=server,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # etc ... I saw some thread on mailing list that say to take care of owner, groups and permissions of files krb5.keytab and database. All looks good in this side. Any other areas to check ? Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group

2 2

rewrite answers from AD.
by Agent Smith 07 Jul '11

07 Jul '11

I have slapd configured to proxy off of AD and that is working fine but I need to rewrite the phone number part of the AD answer to read 9xxx-xxx-xxxx from the original answer of xxx-xxx-xxxx so that the IP phones can dial them by clicking on the ldap search results. an example would help. when I query the AD with ldapsearch I get this field telephoneNumber: xxx-xxx-xxxx what I need is that field to read 9xxx-xxx-xxxx The IP phones need that field to read 9xxx-xxx-xxxx before they can use it so I configured a proxy thinking I will use rwm-rewrite to reformat that answer but I am having a devil of a time trying to figure out how, there is an example on how to 'eat blanks' on a cn filed answer so that a field with name, last_name will read name,lastname but I can't even get that to work even when I copy/paste it right from the man page of slap-rwm here are relevent parts of slapd.conf, any suggestions? I compiled slapd with ./configure --enable-rewrite=yes --enable-rwm=yes --enable-ldap=yes --enable-syslog ; database ldap #uri "ldap://ldap.yyy.zzz.edu:389/OU=xxx,DC=yyy,DC=zzz,DC=edu"; uri "ldap://ldap.yyy.zzz.edu:389" lastmod off chase-referrals no suffix "DC=yyy,DC=zzz,DC=edu" acl-bind bindmethod=simple binddn="CN=Radius Ldap,OU=System Accounts,OU=MSIS,OU=Administration,OU=xxx,DC=yyy,DC=zzz,DC=edu" credentials="password" idassert-bind bindmethod=simple binddn="CN=Radius Ldap,OU=System Accounts,OU=MSIS,OU=Administration,OU=xxx,DC=yyy,DC=zzz,DC=edu" credentials="password" mode=self idassert-authzFrom "dn.regex:.*" access to dn.subtree="DC=yyy,DC=zzz,DC=edu" by * read # The last rwm-map line maps all other attributes to nothing. overlay rwm rwm-rewriteEngine on rwm-rewriteContext eatblanks #rwm-rewriteRule "(.+)2C (.+)" "$1\,$2" #rwm-rewriteRule "([^,]+), ([^,]+)" "$1,$2" rwm-rewriterule "(.*), (.*)" "$1,$2" #rwm-rewriterule "^(.*), (.*)$" "$1,$2" rwm-map attribute uid sAMAccountname #rwm-map attribute cn cn rwm-map attribute * *

2 2

Re: access
by Friedrich Locke 06 Jul '11

06 Jul '11

How may i know i setted SASL/GSSAPI correctly ? Here is how i executed saslauthd: saslauthd -a kerberos5 -cd -t 60 -n 2 -s 128 Here is a test: sioux@gustav$ testsaslauthd -u sioux -p XYZ 0: OK "Success." sioux@gustav$ Is there something more i need to do ? Thanks. On Tue, Jun 28, 2011 at 3:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, June 28, 2011 3:02 PM -0300 Friedrich Locke > <friedrich.locke(a)gmail.com> wrote: > >> Sorry folks, >> >> please forgive me, i forgot to let you know i am using kerberos >> (SASL); so i bind via sasl mechanism not as the dn owned by me. >> >> Thanks once more for your help. > > If you have correctly set up SASL/GSSAPI, then when someone binds, they are > mapped to their DN in the database, and the access rules I reported would > work correclty. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

4 5

Build a "fake" LDAP
by Joao Robertson Kramer Santana 06 Jul '11

06 Jul '11

Hi, I have an Oracle database table with usernames and their encryted passwords. I would like to build an LDAP Server only for authentication. It should communicate with the client, receive the username/password, and make the authentication using the Oracle database table. I just want the clients to expect ('think') they are 'talking' with a true LDAP Server, but in fact it's just an application (Java Servlet) that uses the LDAP protocol between the client/server for authentication. In other words, the client does not know what happens inside the server, and the server does not use a true LDAP infrastructure. Does anybody has an ideia of how can I implement it? Is it possible to use OpenLDAP to simulate the conversation between the server and a client? I would appreciate any help. Thanks in advance. Jkramer

2 1

Strange olcDbDirectory permission error
by Ian Collins 06 Jul '11

06 Jul '11

Hello, I'm in the process of copying a server configuration to an Ubuntu server and I'm getting a very strange error on start up: Jul 7 14:46:03 Ubuntu64 slapd[5079]: config error processing olcDatabase={1}hdb,cn=config: olcDbDirectory: value #0: invalid path: Permission denied strace shows: [pid 5079] open("/opt/local/var/run/openldap//DUMMY", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) Even with the directory writeable to all: drwxrwxrwx 2 openldap openldap 4096 2011-07-07 14:29 /opt/local/var/run/openldap/ Any ideas? -- Ian.

2 4

RE: allow or deny certain user access to certain hosts
by ldap＠mm.st 06 Jul '11

06 Jul '11

On Sat, 18 Jun 2011 22:13 -0700, "Hai Tao" <taoh666(a)hotmail.com> wrote: > > Yes, I tried to add a host attribute, but I got object class violation > error. Any idea? > > > Thanks. > > Hai Tao > > > Did you ever resolve this? You don't mention which OS you are using, but in standard RH5 you can do try this. 1. Install nss_ldap 2. copy /usr/share/doc/nss_ldap-253/ldapns.schema /etc/openldap/schema/ldapns.schema This will provide the hostObject objectClass 3. In slapd.conf include /etc/openldap/schema/ldapns.schema 4. In a users ldap record add objectClass: hostObject 5. In the users ldap record add host: hostname 6. Modify the hosts ldap.conf file: pam_check_host_attr yes Doing this from memory, but I think that should be enough to get what you want to work on a RH5 system. RH6 uses some different files on the host. BTW, you can also use the account objectClass to provide the host attribute, but my guess is that it will most likely conflict with another structural object class.

1 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2011