exact/base
by Friedrich Locke
Hi,
may someone here explain me the difference between dn.exact and dn.base ?
Thanks in advance.
10 years, 12 months
limits
by Friedrich Locke
Hi,
i have setted some limits in slapd.conf:
limits dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384
limits dn.one="ou=people,dc=ufv,dc=br" time=4 size=1
But my log shows:
/etc/openldap/slapd.conf : line 80: deprecated "one" style "limits
<pattern> <limits>" line; use "onelevel" instead.
The error message is showed only for limits definition.
My access rules uses "one" and i get no complains in the log file, why?
Thanks in advance.
10 years, 12 months
Simple Bind w/TLS without SASL/Kerberos possible to AD?
by David Mitton
I am trying to use OpenLDAP from an embedded Linux system to
authenticate (PAM LDAP) against a Windows AD server. I must use TLS
to secure this, but I would rather not use SASL or Kerberos if possible.
I have been able to mock this up on a Centos system without TLS, and
the PAM worked fine. When I turn on TLS, the Windows server
handshakes the TLS but then has a problem with the first message. I
am also working that side.
I have walked through the handshake with s_client, and the connection
is happy.
I am now working with ldapsearch and trying things....
The first thing I notice is that it seems to try an SASL bind. Can I
stop this?
I'm not sure I have SASL actually installed on this system, and I'm
not sure I want it in my target.
Is this possible? from both the OpenLDAP client and/or Windows AD?
Ideas on the correct alphabet soup to try this with ldapsearch would
be appreciated.
Thanks.
10 years, 12 months
translucent proxy question
by Conger,Keith
Hi,
Does anyone now if its possible to write changes through a translucent
proxy to the back ldap server its in front of? Every time I try an add
or remove it does it against the translucent database. The account I'm
using exists on the back ldap server with the proper rights to modify
attributes.
After much searching I can't seem to find an answer.
Thanks in Advance
Keith
--
Keith Conger
10 years, 12 months
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)
by Fabien COMBERNOUS
Hi There,
I have an openldap master (hosted by server) and an openldap replica
(hosted by replica). Authentication use SASL/GSSAPI with kerberos.
On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for root(a)SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific )
error (80)
On the replica all looks fine :
replica:~ admin$ kinit root
Please enter the password for root(a)SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
SASL username: root(a)SERVER.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=mounts,dc=server,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
etc ...
I saw some thread on mailing list that say to take care of owner, groups
and permissions of files krb5.keytab and database. All looks good in
this side.
Any other areas to check ?
Regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
10 years, 12 months
rewrite answers from AD.
by Agent Smith
I have slapd configured to proxy off of AD and that is working fine but I need to rewrite the phone number part of the AD answer to read 9xxx-xxx-xxxx from the original answer of xxx-xxx-xxxx so that the IP phones can dial them by clicking on the ldap search results.
an example would help.
when I query the AD with ldapsearch I get this field
telephoneNumber: xxx-xxx-xxxx
what I need is that field to read 9xxx-xxx-xxxx
The IP phones need that field to read 9xxx-xxx-xxxx before they can use it so I configured a proxy thinking I will use rwm-rewrite to reformat that answer but I am having a devil of a time trying to figure out how, there is an example on how to 'eat blanks' on a cn filed answer so that a field with name, last_name will read name,lastname but I can't even get that to work even when I copy/paste it right from the man page of slap-rwm
here are relevent parts of slapd.conf, any suggestions?
I compiled slapd with ./configure --enable-rewrite=yes --enable-rwm=yes --enable-ldap=yes --enable-syslog ;
database ldap
#uri "ldap://ldap.yyy.zzz.edu:389/OU=xxx,DC=yyy,DC=zzz,DC=edu";
uri "ldap://ldap.yyy.zzz.edu:389"
lastmod off
chase-referrals no
suffix "DC=yyy,DC=zzz,DC=edu"
acl-bind
bindmethod=simple
binddn="CN=Radius Ldap,OU=System Accounts,OU=MSIS,OU=Administration,OU=xxx,DC=yyy,DC=zzz,DC=edu"
credentials="password"
idassert-bind
bindmethod=simple
binddn="CN=Radius Ldap,OU=System Accounts,OU=MSIS,OU=Administration,OU=xxx,DC=yyy,DC=zzz,DC=edu"
credentials="password"
mode=self
idassert-authzFrom "dn.regex:.*"
access to dn.subtree="DC=yyy,DC=zzz,DC=edu"
by * read
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext eatblanks
#rwm-rewriteRule "(.+)2C (.+)" "$1\,$2"
#rwm-rewriteRule "([^,]+), ([^,]+)" "$1,$2"
rwm-rewriterule "(.*), (.*)" "$1,$2"
#rwm-rewriterule "^(.*), (.*)$" "$1,$2"
rwm-map attribute uid sAMAccountname
#rwm-map attribute cn cn
rwm-map attribute * *
10 years, 12 months
Re: access
by Friedrich Locke
How may i know i setted SASL/GSSAPI correctly ?
Here is how i executed saslauthd:
saslauthd -a kerberos5 -cd -t 60 -n 2 -s 128
Here is a test:
sioux@gustav$ testsaslauthd -u sioux -p XYZ
0: OK "Success."
sioux@gustav$
Is there something more i need to do ?
Thanks.
On Tue, Jun 28, 2011 at 3:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, June 28, 2011 3:02 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Sorry folks,
>>
>> please forgive me, i forgot to let you know i am using kerberos
>> (SASL); so i bind via sasl mechanism not as the dn owned by me.
>>
>> Thanks once more for your help.
>
> If you have correctly set up SASL/GSSAPI, then when someone binds, they are
> mapped to their DN in the database, and the access rules I reported would
> work correclty.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 12 months
Build a "fake" LDAP
by Joao Robertson Kramer Santana
Hi,
I have an Oracle database table with usernames and their encryted passwords.
I would like to build an LDAP Server only for authentication. It should communicate with the client, receive the username/password, and make the authentication using the Oracle database table.
I just want the clients to expect ('think') they are 'talking' with a true LDAP Server, but in fact it's just an application (Java Servlet) that uses the LDAP protocol between the client/server for authentication. In other words, the client does not know what happens inside the server, and the server does not use a true LDAP infrastructure.
Does anybody has an ideia of how can I implement it?
Is it possible to use OpenLDAP to simulate the conversation between the server and a client?
I would appreciate any help.
Thanks in advance.
Jkramer
10 years, 12 months
Strange olcDbDirectory permission error
by Ian Collins
Hello,
I'm in the process of copying a server configuration to an Ubuntu server
and I'm getting a very strange error on start up:
Jul 7 14:46:03 Ubuntu64 slapd[5079]: config error processing
olcDatabase={1}hdb,cn=config: olcDbDirectory: value #0: invalid path:
Permission denied
strace shows:
[pid 5079] open("/opt/local/var/run/openldap//DUMMY",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
Even with the directory writeable to all:
drwxrwxrwx 2 openldap openldap 4096 2011-07-07 14:29
/opt/local/var/run/openldap/
Any ideas?
--
Ian.
10 years, 12 months
RE: allow or deny certain user access to certain hosts
by ldap@mm.st
On Sat, 18 Jun 2011 22:13 -0700, "Hai Tao" <taoh666(a)hotmail.com> wrote:
>
> Yes, I tried to add a host attribute, but I got object class violation
> error. Any idea?
>
>
> Thanks.
>
> Hai Tao
>
>
>
Did you ever resolve this? You don't mention which OS you are using,
but in standard RH5 you can do try this.
1. Install nss_ldap
2. copy /usr/share/doc/nss_ldap-253/ldapns.schema
/etc/openldap/schema/ldapns.schema
This will provide the hostObject objectClass
3. In slapd.conf
include /etc/openldap/schema/ldapns.schema
4. In a users ldap record add
objectClass: hostObject
5. In the users ldap record add
host: hostname
6. Modify the hosts ldap.conf file:
pam_check_host_attr yes
Doing this from memory, but I think that should be enough to get what
you want to work on a RH5 system. RH6 uses some different files on the
host. BTW, you can also use the account objectClass to provide the host
attribute, but my guess is that it will most likely conflict with
another structural object class.
10 years, 12 months
