openldap-technical August 2011

openldap-technical@openldap.org

87 participants
96 discussions

TLS issue with SLES11
by pradyumna dash 01 Sep '11

01 Sep '11

List, It would be great if someone can share doc on TLS with OpenLDAP configuration on SLES 11, I tried all the possible ways to make it happen but no luck. I tried with both yast2 and by CA.pl and openssl commands, but no luck, When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to the hostname, When i check the logs it shows the destination port its showing is 389. But when i try ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents, dont know whats wrong, I also tried to open /etc/sysconfig/openldap and assigned the LDAP service to run on 127.0.0.1, but if i do so then its not able to get the server. Please help. Regards, Neo

4 6

slapd-meta per operation server
by Kapetanakis Giannis 31 Aug '11

31 Aug '11

Hi, I'm trying to setup an LDAP Proxy using the slapd-meta database. Is there a way to define different servers per operation? I want servers r1 and r2 for read only operations and server w1 w2 for write operations (add, delete etc) for a single suffix. Is this possible with openldap? I've seen about the "default-target" directive but it's not clear what it actually does. best regards, Giannis

2 2

rewritting binds and attempting to cache search for attr=1.1 - segmentation fault
by Perrin, David 31 Aug '11

31 Aug '11

Hello, thank you for reading this post! Is it possible to configure openldap to cache the search operation necessary to perform mapped bind rewrites? The slapo-pcache man page has given me hope but I'm stuck making it happen. I'm able to map and rewrite a bind, cache binds, and cache search results. But I'm stuck trying to cache the search operation that openldap completes for looking up a mapped attribute. For example I can bind with a string like: mail=pfoo(a)somedomain.com,ou=Students,dc=domain,dc=com slapd.conf maps that through overlay rwm like: rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":" to an actual DN of: cn=Foo\, Peter (pfoo),ou=Students,dc=domain,dc=com and some pcache definitions will cache binds and certain searches - this works great. In reviewing the openldap log and network packets to confirm caching, I noticed search requests to attr=1.1. So I tried to define a pcachetemplate for those requests like this: pcacheAttrset 0 1.1 pcacheTemplate (mail=) 0 1800 When I search for attribute 1.1 and bind using a dn that doesn't need to be rewritten, I get search results and they are cached. However, when I search for 1.1 and bind using a dn that needs to be rewritten, the server complains of a segmentation fault. conn=1000 fd=12 ACCEPT from IP=127.0.0.1:54533 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="mail=pfoo(a)somedomain.com,ou=Students,dc=TEST_HOST,dc=TEST_COM" method=128 conn=1001 fd=14 ACCEPT from IP=127.0.0.1:54534 (IP=0.0.0.0:389) conn=1001 op=0 SRCH base="ou=Students,dc=TEST_HOST,dc=TEST_COM" scope=2 deref=0 filter="(mail=pfoo(a)somedomain.com)" conn=1001 op=0 SRCH attr=1.1 query template of incoming query = (mail=) Entering QC, querystr = (mail=pfoo(a)somedomain.com) Lock QC index = 0xa2d8798 Not answerable: Unlock QC index=0xa2d8798 QUERY NOT ANSWERABLE QUERY CACHEABLE Segmentation fault And with loglevel -1: ** ld 0xb3a08480 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0xb3a08480 request count 1 (abandoned 0) ** ld 0xb3a08480 Response Queue: * msgid 1, type 100 ld 0xb3a08480 response count 1 ldap_chkResponseList ld 0xb3a08480 msgid 1 all 1 ldap_chkResponseList returns ld 0xb3a08480 NULL ldap_int_select Segmentation fault Is there a setting to have openldap cache internal operations like that or is there a way to cache that special attr=1.1 search operation? Any suggestions would be greatly appreciated. Many thanks! Dave # from slapd.conf # 2.4.26 (--enable-overlays --enable-bdb --enable-ldap --enable-meta --with-tls=openssl) include /opt/openldap/proxy/etc/openldap/schema/core.schema include /opt/openldap/proxy/etc/openldap/schema/cosine.schema include /opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema include /opt/openldap/proxy/etc/openldap/schema/myorg.schema pidfile /opt/openldap/proxy/var/run/slapd.pid argsfile /opt/openldap/proxy/var/run/slapd.args loglevel -1 database ldap lastmod off suffix "dc=TEST_HOST,dc=TEST_COM" rootdn "cn=admin,dc=TEST_HOST,dc=TEST_COM" rootpw config uri "ldap://10.100.142.132" idassert-bind bindmethod=simple mode=self binddn="cn=testadmin,cn=Users,dc=TEST_HOST,dc=TEST_COM" credentials="secret" idassert-authzFrom "dn.regex:.*" # cache of ldap is in bdb format overlay pcache pcache bdb 100000 2 50 900 pcacheAttrset 0 * pcacheTemplate (&(sn=)(givenname=)) 0 1800 pcacheBind (&(sn=)(givenname=)) 0 1800 sub "ou=Students,dc=TEST_HOST,dc=TEST_COM" # with this definition, the server will segmentation fault after search/bind requests where the bind needs to be rewritten #pcacheAttrset 1 1.1 #pcacheTemplate (mail=) 1 1800 cachesize 100000 pcachePosition tail directory /var/lib/ldap index sn,givenname pres,eq,sub index cn pres,eq,sub index mail eq index objectclass eq # *************************************************************** # start of rewrite stuff overlay rwm rwm-rewriteEngine on rwm-map attribute studentID employeeID ## source DN map rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub" rwm-rewriteContext default rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=([^,]*),ou=Students,dc=TEST_HOST,dc=TEST_COM" "${source2dn(mail=$1)}" ":"

2 1

No connection message.
by Daniel Lopes de Carvalho 31 Aug '11

31 Aug '11

Hi, I was looking to my log messages and slapd always send a message like this: slapd[PID]: connection_read(##): no connection! Is there a way to correct this issue or supress this message? Why the slapd getting this message? Thanks Daniel

3 2

User quota control under LDAP.
by Daniel Lopes de Carvalho 31 Aug '11

31 Aug '11

Hi, I would like to know if there is a way to get control of my users disk quota with LDAP. Is there any attribute, objectclass or schema to do that? I have Windows and Linux users and would like to control NFS and Samba quota. Thanks Daniel

3 2

RE: N-way multi master configuration issue
by Naga Chaitanya Palle 30 Aug '11

30 Aug '11

Any inputs please? ________________________________________ From: Naga Chaitanya Palle Sent: Monday, August 29, 2011 1:37 PM To: Buchan Milne Cc: openldap-technical(a)openldap.org Subject: RE: N-way multi master configuration issue Hi Buchan, After making the changes are per your suggestions, I am still not able to read data between the servers. Also, I deleted DI data on server 2 and restarted to import data from server1 , but no use. Can you please check the slapd.conf files and suggest. Server 1 slapd.conf file # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/ppolicy.schema include /usr/share/openldap2.4/schema/corba.schema loglevel 296 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args access to attrs=userPassword by self write by users read by anonymous auth #access to attrs=shadowLastChange # by self write # by * auth access to * by * read access to * by dn.base="cn=Manager,dc=comverse-in,dc=com" read by * break # Load dynamic backend modules: # modulepath /usr/lib/openldap # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /etc/openldap2.4/cacerts/cacert.pem #TLSCertificateFile /etc/openldap2.4/cacerts/slapd-cert.pem #TLSCertificateKeyFile /etc/openldap2.4/cacerts/slapd-key.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### serverId 001 database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}9tKeVZfgKFCfgIFQxXt5esH0HhQk1dIS # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap2.4 # Indices to maintain for this database #index objectClass eq,pres #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub #index sudoUser eq index sudoUser eq index member eq index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub #index objectclass,entryCSN,entryUUID eq # Load dynamic backend modules: # modulepath /usr/lib/openldap modulepath /usr/lib/openldap2.4 # modules available in openldap-servers-overlays RPM package: # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la syncrepl rid=123 provider=ldap://devonly144.comverse-in.com type=refreshAndPersist interval=00:00:01:00 searchbase="dc=comverse-in,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=comverse-in,dc=com" credentials=sonora index objectClass,entryCSN,entryUUID eq mirrormode true overlay syncprov syncprov-checkpoint 100 10 overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=pwpolicies,dc=comverse-in,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout #SUDOERS_BASE=ou=SUDOers,dc=comverse-in,dc=com # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM #replogfile /var/lib/ldap/openldap-master-replog #replica uri=ldaps://rht144.comverse-in.com:389 starttls=critical Server2 slapd.conf file # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/ppolicy.schema include /usr/share/openldap2.4/schema/corba.schema loglevel 296 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args access to attrs=userPassword by self write by users read by anonymous auth #access to attrs=shadowLastChange # by self write # by * auth access to * by * read access to * by dn.base="cn=Manager,dc=comverse-in,dc=com" read by * break # Load dynamic backend modules: # modulepath /usr/lib/openldap # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /etc/openldap2.4/cacerts/cacert.pem #TLSCertificateFile /etc/openldap2.4/cacerts/slapd-cert.pem #TLSCertificateKeyFile /etc/openldap2.4/cacerts/slapd-key.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### serverId 002 #database bdb database bdb #suffix "dc=comverse-in,dc=com" suffix "dc=comverse-in,dc=com" #rootdn "cn=Manager,dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}4qLml3DcOyfwiKlN/garIms4a8fmsNkx #rootpw sonora # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap2.4 # Indices to maintain for this database #index objectClass eq,pres #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub #index sudoUser eq index sudoUser eq index member eq index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub #index objectclass,entryCSN,entryUUID eq # Load dynamic backend modules: # modulepath /usr/lib/openldap modulepath /usr/lib/openldap2.4 # modules available in openldap-servers-overlays RPM package: # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=pwpolicies,dc=comverse-in,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout #SUDOERS_BASE=ou=SUDOers,dc=comverse-in,dc=com # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM #replogfile /var/lib/ldap/openldap-master-replog #replica uri=ldaps://rht144.comverse-in.com:389 starttls=critical binddn="cn=Manager,dc=comverse-in,dc=com" bindmethod=simple credentials=sonora #serverId 2 syncrepl rid=124 provider=ldap://uplite98.comverse-in.com type=refreshAndPersist interval=00:00:01:00 searchbase="dc=comverse-in,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=comverse-in,dc=com" credentials=sonora #updateref ldap://uplite98.comverse-in.com index objectClass,entryCSN,entryUUID eq mirrormode true overlay syncprov syncprov-checkpoint 100 10 Thanks and Regards, Naga Chaitanya -----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Friday, August 26, 2011 7:15 PM To: Naga Chaitanya Palle Cc: openldap-technical(a)openldap.org Subject: Re: N-way multi master configuration issue On Friday, 26 August 2011 15:28:13 Naga Chaitanya Palle wrote: > Hi buchan, > > My server 1 is uplite98.comverse-in.com. In its slapd.conf, I have syncrepl > pointing to server 2 devonly144.comverse-in.com and vice versa for > server2. Then your serverid (and, it should actually be serverId) is wrong: > > serverid 124 ldap://devonly144.comverse-in.com > > syncrepl rid=124 > > > > provider=ldap://devonly144.comverse-in.com:389 The URI form of serverId is useful if you have the same configuration on all your masters, in which case the listening address of your server must match one of the URIs. You may want to use this form for now: serverId 1 If your serverId's weren't correct (check the contextCSNs), you should probably re-import an export of one server on the other one. > I did not exactly understand what you indicated. > Can you please be more specific about what changes needs to be done in the > slapd.conf file? In a multi-master setup, each server should be replicating off *all* servers, including itself. > Thanks and Regards, > Naga Chaitanya > > -----Original Message----- > From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] > Sent: Friday, August 26, 2011 6:56 PM > To: openldap-technical(a)openldap.org > Cc: Naga Chaitanya Palle > Subject: Re: N-way multi master configuration issue > > On Friday, 26 August 2011 12:56:38 Naga Chaitanya Palle wrote: > > Hi, > > > > I am trying to set up N-way multimaster configuration using syncrepl on > > openldap2.4 for RHEL 5.4 > > > > Currently I am using two masters for testing. > > > > The slapd.conf on server1 is > > moduleload syncprov.la > > serverid 124 ldap://devonly144.comverse-in.com > > syncrepl rid=124 > > > > provider=ldap://devonly144.comverse-in.com:389 > > type=refreshAndPersist > > interval=00:00:01:00 > > searchbase="dc=comverse-in,dc=com" > > filter="(objectClass=*)" > > scope=sub > > attrs="*" > > schemachecking=off > > bindmethod=simple > > binddn="cn=Manager,dc=comverse-in,dc=com" > > credentials=sonora > > > > index objectClass,entryCSN,entryUUID eq > > mirrormode true > > > > overlay syncprov > > syncprov-checkpoint 100 10 > > > > > > The slapd.conf on server2 is > > moduleload syncprov.la > > serverid 123 ldap://uplite98.comverse-in.com > > syncrepl rid=123 > > > > provider=ldap://uplite98.comverse-in.com:389 > > type=refreshAndPersist > > interval=00:00:01:00 > > searchbase="dc=comverse-in,dc=com" > > filter="(objectClass=*)" > > scope=sub > > attrs="*" > > schemachecking=off > > bindmethod=simple > > binddn="cn=Manager,dc=comverse-in,dc=com" > > credentials=sonora > > > > index objectClass,entryCSN,entryUUID eq > > mirrormode true > > > > overlay syncprov > > syncprov-checkpoint 100 10 > > > > But there is no data synchronization happening between the severs. > > Of course not, you have configured each server only to replicate from > itself. > > > When I added test3 user on server1, it is not reflecting on server 2. > > Same way when I added test4 user on server2 it is not reflecting on > > server1. > > > > Please let me know what is missing in this configuration. > > syncrepl statements pointing to the other master. > > Regards, > Buchan > > > > > =========================================================================== > ==== Please refer to http://www.aricent.com/legal/email_disclaimer.html for > important disclosures regarding this electronic communication. > ========================================================================== > ===== =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

2 1

LDAP ACL configuration Problem ???
by vijay s sheelavantar 29 Aug '11

29 Aug '11

Hi,I am running openldap-2.4.26 on one machine (fedora 10) and pam_ldap-186 (fedora 10) on another machine.(anonymous binding) whenever a user authentication request is recieved by ldap server, it is giving the following error. ldap_read: want=8 error=Resource temporarily unavailable ldap.conf configuration is as follows.base dc=samsung,dc=comhost 10.254.204.181 slapd.conf configuration is as follows. include         /usr/local/etc/openldap/schema/core.schemainclude         /usr/local/etc/openldap/schema/cosine.schemainclude         /usr/local/etc/openldap/schema/inetorgperson.schema#include                /usr/local/etc/openldap/schema/nis.schema pidfile         /usr/local/var/run/slapd.pidargsfile        /usr/local/var/run/slapd.args access to attrs=userpassword by self       write by anonymous  auth by *          none access to *       by self       write#       by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"#                     write       by users      read       by *          none ######################################################################## BDB database definitions####################################################################### database        bdbsuffix          "dc=samsung,dc=com"rootdn          "cn=Manager,dc=samsung,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid.  See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw          123qwe# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory       /usr/local/var/openldap-data# Indices to maintain#unique id so equality match onlyindex   uid     eqindex   userPassword    eq#allows general searching on commonname,givenname and mailindex   cn,gn,sn,ou,o,mail eq,subindex   objectClass     eq and my LDIF file has user entry as follows. dn: cn=vijay s,ou=people,dc=samsung,dc=comobjectClass: inetOrgPersoncn:vijay sheelavantarcn: vijay suid: vijayuserPassword: 123qwesn: sheelavantar Kindly let me know where I am making mistake... Warm Regards,VIJAY S.

1 0

sudoers: not able to execute commands with sudo
by Naga Chaitanya Palle 29 Aug '11

29 Aug '11

Hi, I have configured sudoers in my environment. But when I try to execute a command using sudo, the commands fails to get executed saying "sysadmin is not in the sudoers file. This incident will be reported." . I am using sysadmin account as mentioned in the below sudoers ldif file. login as: sysadmin sysadmin(a)10.150.14.144's password: Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158 Could not chdir to home directory /home/sysadmin: No such file or directory -bash-3.2$ sudo ls [sudo] password for sysadmin: sysadmin is not in the sudoers file. This incident will be reported. -bash-3.2$ sudo -V Sudo version 1.7.2p1 -bash-3.2$ sudo -l [sudo] password for sysadmin: Sorry, user sysadmin may not run sudo on devonly144. -bash-3.2 On Server the sudoers file is /etc/openldap/slapd.conf include /usr/share/openldap2.4/schema/sudo.schema index sudoUser eq /etc/openldap/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com sudoers.ldif # SUDOers, comverse-in.com dn: ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: syslog=auth dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoUser: sysadmin sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: operator sudoUser: operator sudoHost: ALL sudoCommand: /usr/sbin/dump sudoCommand: /usr/sbin/rdump sudoCommand: /usr/sbin/restore sudoCommand: /usr/sbin/rrestore sudoCommand: /usr/bin/mt sudoCommand: /usr/bin/kill sudoCommand: /usr/sbin/shutdown sudoCommand: /usr/sbin/halt sudoCommand: /usr/sbin/reboot sudoCommand: /usr/sbin/lpc sudoCommand: /usr/bin/lprm sudoCommand: sudoedit /etc/printcap sudoCommand: /usr/oper/bin/ dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: orion sudoCommand: /sbin/umount /CDROM sudoCommand: /sbin/mount -o nosuid\ sudoCommand: nodev /dev/cd0a /CDROM sudoOption: !authenticate On client: /etc/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com nss_base_passwd ou=People,dc=comverse-in,dc=com?one nss_base_shadow ou=People,dc=comverse-in,dc=com?one nss_base_group ou=Group,dc=comverse-in,dc=com?one /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth auth required pam_securetty.so auth sufficient pam_ldap.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_nologin.so account include system-auth account sufficient pam_ldap.so account required pam_stack.so service=system-auth password include system-auth password sufficient pam_ldap.so password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke session sufficient pam_ldap.so session required pam_stack.so service=system-auth session optional pam_console.so session required /lib/security/pam_limits.so /etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files Thanks and Regards, Naga Chaitanya =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

3 3

Syncrepl over TLS for mirrormode
by Daniel Qian 29 Aug '11

29 Aug '11

From the openldap website the two nodes have to use different URLs like below: syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" and syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname? Thanks, Daniel

5 8

How to delete LDAP Data base bdb
by vijay s sheelavantar 29 Aug '11

29 Aug '11

Hello Friends, Please let me know how to delete/flush complete LDAP database ? I tried deleting all files from /var/openldap-data. but still top level data base attributes remains. initially I had set shadowExpire,shadowFlag etc, I want to remove all these. Kindly help me to build my new database. LDAP server log for your reference. ber_dump: buf=0x9a0ba80 ptr=0x9a0bab5 end=0x9a0bb3d len=136  0000:  00 81 85 04 04 68 6f 73  74 04 11 61 75 74 68 6f   .....host..autho  0010:  72 69 7a 65 64 53 65 72  76 69 63 65 04 0c 73 68   rizedService..sh  0020:  61 64 6f 77 45 78 70 69  72 65 04 0a 73 68 61 64   adowExpire..shad  0030:  6f 77 46 6c 61 67 04 0e  73 68 61 64 6f 77 49 6e   owFlag..shadowIn  0040:  61 63 74 69 76 65 04 10  73 68 61 64 6f 77 4c 61   active..shadowLa  0050:  73 74 43 68 61 6e 67 65  04 09 73 68 61 64 6f 77   stChange..shadow  0060:  4d 61 78 04 09 73 68 61  64 6f 77 4d 69 6e 04 0d   Max..shadowMin..  0070:  73 68 61 64 6f 77 57 61  72 6e 69 6e 67 04 09 75   shadowWarning..u  0080:  69 64 4e 75 6d 62 65 72                            idNumber Thanks and Regards,Vijay S.

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2011