TLS issue with SLES11
by pradyumna dash
List,
It would be great if someone can share doc on TLS with OpenLDAP
configuration on SLES 11, I tried all the possible ways to make it happen
but no luck.
I tried with both yast2 and by CA.pl and openssl commands, but no luck, When
i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to
the
hostname, When i check the logs it shows the destination port its showing is
389.
But when i try ldapsearch -x -H ldaps://hostname, its also showing me the
ldap contents, dont know whats wrong, I also tried to open
/etc/sysconfig/openldap
and assigned the LDAP service to run on 127.0.0.1, but if i do so then its
not able to get the server.
Please help.
Regards,
Neo
11 years, 6 months
slapd-meta per operation server
by Kapetanakis Giannis
Hi,
I'm trying to setup an LDAP Proxy using the slapd-meta database.
Is there a way to define different servers per operation? I want
servers r1 and r2 for read only operations and server w1 w2 for write
operations (add, delete etc) for a single suffix.
Is this possible with openldap? I've seen about the "default-target"
directive but it's not clear what it actually does.
best regards,
Giannis
11 years, 6 months
rewritting binds and attempting to cache search for attr=1.1 - segmentation fault
by Perrin, David
Hello, thank you for reading this post!
Is it possible to configure openldap to cache the search operation
necessary to perform mapped bind rewrites? The slapo-pcache man page has
given me hope but I'm stuck making it happen.
I'm able to map and rewrite a bind, cache binds, and cache search
results. But I'm stuck trying to cache the search operation that
openldap completes for looking up a mapped attribute. For example I can
bind with a string like:
mail=pfoo(a)somedomain.com,ou=Students,dc=domain,dc=com
slapd.conf maps that through overlay rwm like:
rwm-rewriteMap ldap source2dn
"ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM"
"$1dc=TEST_HOST,dc=TEST_COM" ":"
to an actual DN of:
cn=Foo\, Peter (pfoo),ou=Students,dc=domain,dc=com
and some pcache definitions will cache binds and certain searches - this
works great.
In reviewing the openldap log and network packets to confirm caching, I
noticed search requests to attr=1.1. So I tried to define a
pcachetemplate for those requests like this:
pcacheAttrset 0 1.1
pcacheTemplate (mail=) 0 1800
When I search for attribute 1.1 and bind using a dn that doesn't need to
be rewritten, I get search results and they are cached. However, when I
search for 1.1 and bind using a dn that needs to be rewritten, the
server complains of a segmentation fault.
conn=1000 fd=12 ACCEPT from IP=127.0.0.1:54533 (IP=0.0.0.0:389)
conn=1000 op=0 BIND
dn="mail=pfoo(a)somedomain.com,ou=Students,dc=TEST_HOST,dc=TEST_COM"
method=128
conn=1001 fd=14 ACCEPT from IP=127.0.0.1:54534 (IP=0.0.0.0:389)
conn=1001 op=0 SRCH base="ou=Students,dc=TEST_HOST,dc=TEST_COM" scope=2
deref=0 filter="(mail=pfoo(a)somedomain.com)"
conn=1001 op=0 SRCH attr=1.1
query template of incoming query = (mail=)
Entering QC, querystr = (mail=pfoo(a)somedomain.com)
Lock QC index = 0xa2d8798
Not answerable: Unlock QC index=0xa2d8798
QUERY NOT ANSWERABLE
QUERY CACHEABLE
Segmentation fault
And with loglevel -1:
** ld 0xb3a08480 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0xb3a08480 request count 1 (abandoned 0)
** ld 0xb3a08480 Response Queue:
* msgid 1, type 100
ld 0xb3a08480 response count 1
ldap_chkResponseList ld 0xb3a08480 msgid 1 all 1
ldap_chkResponseList returns ld 0xb3a08480 NULL
ldap_int_select
Segmentation fault
Is there a setting to have openldap cache internal operations like that
or is there a way to cache that special attr=1.1 search operation? Any
suggestions would be greatly appreciated.
Many thanks!
Dave
# from slapd.conf
# 2.4.26 (--enable-overlays --enable-bdb --enable-ldap --enable-meta
--with-tls=openssl)
include
/opt/openldap/proxy/etc/openldap/schema/core.schema
include
/opt/openldap/proxy/etc/openldap/schema/cosine.schema
include
/opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema
include
/opt/openldap/proxy/etc/openldap/schema/myorg.schema
pidfile /opt/openldap/proxy/var/run/slapd.pid
argsfile /opt/openldap/proxy/var/run/slapd.args
loglevel -1
database ldap
lastmod off
suffix "dc=TEST_HOST,dc=TEST_COM"
rootdn "cn=admin,dc=TEST_HOST,dc=TEST_COM"
rootpw config
uri "ldap://10.100.142.132"
idassert-bind bindmethod=simple
mode=self
binddn="cn=testadmin,cn=Users,dc=TEST_HOST,dc=TEST_COM"
credentials="secret"
idassert-authzFrom "dn.regex:.*"
# cache of ldap is in bdb format
overlay pcache
pcache bdb 100000 2 50 900
pcacheAttrset 0 *
pcacheTemplate (&(sn=)(givenname=)) 0 1800
pcacheBind (&(sn=)(givenname=)) 0 1800 sub
"ou=Students,dc=TEST_HOST,dc=TEST_COM"
# with this definition, the server will segmentation fault after
search/bind requests where the bind needs to be rewritten
#pcacheAttrset 1 1.1
#pcacheTemplate (mail=) 1 1800
cachesize 100000
pcachePosition tail
directory /var/lib/ldap
index sn,givenname pres,eq,sub
index cn
pres,eq,sub
index mail eq
index objectclass eq
# ***************************************************************
# start of rewrite stuff
overlay rwm
rwm-rewriteEngine on
rwm-map attribute studentID employeeID
## source DN map
rwm-rewriteMap ldap source2dn
"ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"
rwm-rewriteContext default
rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM"
"$1dc=TEST_HOST,dc=TEST_COM" ":"
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=([^,]*),ou=Students,dc=TEST_HOST,dc=TEST_COM"
"${source2dn(mail=$1)}" ":"
11 years, 6 months
No connection message.
by Daniel Lopes de Carvalho
Hi,
I was looking to my log messages and slapd always send a message like
this: slapd[PID]: connection_read(##): no connection!
Is there a way to correct this issue or supress this message?
Why the slapd getting this message?
Thanks
Daniel
11 years, 6 months
User quota control under LDAP.
by Daniel Lopes de Carvalho
Hi,
I would like to know if there is a way to get control of my users disk quota
with LDAP. Is there any attribute, objectclass or schema to do that? I have
Windows and Linux users and would like to control NFS and Samba quota.
Thanks
Daniel
11 years, 6 months
RE: N-way multi master configuration issue
by Naga Chaitanya Palle
Any inputs please?
________________________________________
From: Naga Chaitanya Palle
Sent: Monday, August 29, 2011 1:37 PM
To: Buchan Milne
Cc: openldap-technical(a)openldap.org
Subject: RE: N-way multi master configuration issue
Hi Buchan,
After making the changes are per your suggestions, I am still not able to read data between the servers.
Also, I deleted DI data on server 2 and restarted to import data from server1 , but no use.
Can you please check the slapd.conf files and suggest.
Server 1 slapd.conf file
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
include /usr/share/openldap2.4/schema/corba.schema
loglevel 296
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/ldap2.4/slapd.pid
argsfile /var/run/ldap2.4/slapd.args
access to attrs=userPassword
by self write
by users read
by anonymous auth
#access to attrs=shadowLastChange
# by self write
# by * auth
access to *
by * read
access to *
by dn.base="cn=Manager,dc=comverse-in,dc=com" read
by * break
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /etc/openldap2.4/cacerts/cacert.pem
#TLSCertificateFile /etc/openldap2.4/cacerts/slapd-cert.pem
#TLSCertificateKeyFile /etc/openldap2.4/cacerts/slapd-key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
serverId 001
database bdb
suffix "dc=comverse-in,dc=com"
rootdn "cn=Manager,dc=comverse-in,dc=com"
rootpw {SSHA}9tKeVZfgKFCfgIFQxXt5esH0HhQk1dIS
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap2.4
# Indices to maintain for this database
#index objectClass eq,pres
#index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
#index uid,memberUid eq,pres,sub
#index nisMapName,nisMapEntry eq,pres,sub
#index sudoUser eq
index sudoUser eq
index member eq
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
#index objectclass,entryCSN,entryUUID eq
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
modulepath /usr/lib/openldap2.4
# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
syncrepl rid=123
provider=ldap://devonly144.comverse-in.com
type=refreshAndPersist
interval=00:00:01:00
searchbase="dc=comverse-in,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=comverse-in,dc=com"
credentials=sonora
index objectClass,entryCSN,entryUUID eq
mirrormode true
overlay syncprov
syncprov-checkpoint 100 10
overlay ppolicy
ppolicy_default "cn=DefaultPassword,ou=pwpolicies,dc=comverse-in,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
#SUDOERS_BASE=ou=SUDOers,dc=comverse-in,dc=com
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
#replogfile /var/lib/ldap/openldap-master-replog
#replica uri=ldaps://rht144.comverse-in.com:389 starttls=critical
Server2 slapd.conf file
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
include /usr/share/openldap2.4/schema/corba.schema
loglevel 296
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/ldap2.4/slapd.pid
argsfile /var/run/ldap2.4/slapd.args
access to attrs=userPassword
by self write
by users read
by anonymous auth
#access to attrs=shadowLastChange
# by self write
# by * auth
access to *
by * read
access to *
by dn.base="cn=Manager,dc=comverse-in,dc=com" read
by * break
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /etc/openldap2.4/cacerts/cacert.pem
#TLSCertificateFile /etc/openldap2.4/cacerts/slapd-cert.pem
#TLSCertificateKeyFile /etc/openldap2.4/cacerts/slapd-key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
serverId 002
#database bdb
database bdb
#suffix "dc=comverse-in,dc=com"
suffix "dc=comverse-in,dc=com"
#rootdn "cn=Manager,dc=comverse-in,dc=com"
rootdn "cn=Manager,dc=comverse-in,dc=com"
rootpw {SSHA}4qLml3DcOyfwiKlN/garIms4a8fmsNkx
#rootpw sonora
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap2.4
# Indices to maintain for this database
#index objectClass eq,pres
#index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
#index uid,memberUid eq,pres,sub
#index nisMapName,nisMapEntry eq,pres,sub
#index sudoUser eq
index sudoUser eq
index member eq
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
#index objectclass,entryCSN,entryUUID eq
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
modulepath /usr/lib/openldap2.4
# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
overlay ppolicy
ppolicy_default "cn=DefaultPassword,ou=pwpolicies,dc=comverse-in,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
#SUDOERS_BASE=ou=SUDOers,dc=comverse-in,dc=com
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
#replogfile /var/lib/ldap/openldap-master-replog
#replica uri=ldaps://rht144.comverse-in.com:389 starttls=critical binddn="cn=Manager,dc=comverse-in,dc=com" bindmethod=simple credentials=sonora
#serverId 2
syncrepl rid=124
provider=ldap://uplite98.comverse-in.com
type=refreshAndPersist
interval=00:00:01:00
searchbase="dc=comverse-in,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=comverse-in,dc=com"
credentials=sonora
#updateref ldap://uplite98.comverse-in.com
index objectClass,entryCSN,entryUUID eq
mirrormode true
overlay syncprov
syncprov-checkpoint 100 10
Thanks and Regards,
Naga Chaitanya
-----Original Message-----
From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
Sent: Friday, August 26, 2011 7:15 PM
To: Naga Chaitanya Palle
Cc: openldap-technical(a)openldap.org
Subject: Re: N-way multi master configuration issue
On Friday, 26 August 2011 15:28:13 Naga Chaitanya Palle wrote:
> Hi buchan,
>
> My server 1 is uplite98.comverse-in.com. In its slapd.conf, I have syncrepl
> pointing to server 2 devonly144.comverse-in.com and vice versa for
> server2.
Then your serverid (and, it should actually be serverId) is wrong:
> > serverid 124 ldap://devonly144.comverse-in.com
> > syncrepl rid=124
> >
> > provider=ldap://devonly144.comverse-in.com:389
The URI form of serverId is useful if you have the same configuration on all
your masters, in which case the listening address of your server must match
one of the URIs. You may want to use this form for now:
serverId 1
If your serverId's weren't correct (check the contextCSNs), you should
probably re-import an export of one server on the other one.
> I did not exactly understand what you indicated.
> Can you please be more specific about what changes needs to be done in the
> slapd.conf file?
In a multi-master setup, each server should be replicating off *all* servers,
including itself.
> Thanks and Regards,
> Naga Chaitanya
>
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Friday, August 26, 2011 6:56 PM
> To: openldap-technical(a)openldap.org
> Cc: Naga Chaitanya Palle
> Subject: Re: N-way multi master configuration issue
>
> On Friday, 26 August 2011 12:56:38 Naga Chaitanya Palle wrote:
> > Hi,
> >
> > I am trying to set up N-way multimaster configuration using syncrepl on
> > openldap2.4 for RHEL 5.4
> >
> > Currently I am using two masters for testing.
> >
> > The slapd.conf on server1 is
> > moduleload syncprov.la
> > serverid 124 ldap://devonly144.comverse-in.com
> > syncrepl rid=124
> >
> > provider=ldap://devonly144.comverse-in.com:389
> > type=refreshAndPersist
> > interval=00:00:01:00
> > searchbase="dc=comverse-in,dc=com"
> > filter="(objectClass=*)"
> > scope=sub
> > attrs="*"
> > schemachecking=off
> > bindmethod=simple
> > binddn="cn=Manager,dc=comverse-in,dc=com"
> > credentials=sonora
> >
> > index objectClass,entryCSN,entryUUID eq
> > mirrormode true
> >
> > overlay syncprov
> > syncprov-checkpoint 100 10
> >
> >
> > The slapd.conf on server2 is
> > moduleload syncprov.la
> > serverid 123 ldap://uplite98.comverse-in.com
> > syncrepl rid=123
> >
> > provider=ldap://uplite98.comverse-in.com:389
> > type=refreshAndPersist
> > interval=00:00:01:00
> > searchbase="dc=comverse-in,dc=com"
> > filter="(objectClass=*)"
> > scope=sub
> > attrs="*"
> > schemachecking=off
> > bindmethod=simple
> > binddn="cn=Manager,dc=comverse-in,dc=com"
> > credentials=sonora
> >
> > index objectClass,entryCSN,entryUUID eq
> > mirrormode true
> >
> > overlay syncprov
> > syncprov-checkpoint 100 10
> >
> > But there is no data synchronization happening between the severs.
>
> Of course not, you have configured each server only to replicate from
> itself.
>
> > When I added test3 user on server1, it is not reflecting on server 2.
> > Same way when I added test4 user on server2 it is not reflecting on
> > server1.
> >
> > Please let me know what is missing in this configuration.
>
> syncrepl statements pointing to the other master.
>
> Regards,
> Buchan
>
>
>
>
> ===========================================================================
> ==== Please refer to http://www.aricent.com/legal/email_disclaimer.html for
> important disclosures regarding this electronic communication.
> ==========================================================================
> =====
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
11 years, 6 months
LDAP ACL configuration Problem ???
by vijay s sheelavantar
Hi,I am running openldap-2.4.26 on one machine (fedora 10) and pam_ldap-186 (fedora 10) on another machine.(anonymous binding)
whenever a user authentication request is recieved by ldap server, it is giving the following error.
ldap_read: want=8 error=Resource temporarily unavailable
ldap.conf configuration is as follows.base dc=samsung,dc=comhost 10.254.204.181
slapd.conf configuration is as follows.
include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schemainclude /usr/local/etc/openldap/schema/inetorgperson.schema#include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args
access to attrs=userpassword by self write by anonymous auth by * none access to * by self write# by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"# write by users read by * none
######################################################################## BDB database definitions####################################################################### database bdbsuffix "dc=samsung,dc=com"rootdn "cn=Manager,dc=samsung,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw 123qwe# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data# Indices to maintain#unique id so equality match onlyindex uid eqindex userPassword eq#allows general searching on commonname,givenname and mailindex cn,gn,sn,ou,o,mail eq,subindex objectClass eq
and my LDIF file has user entry as follows.
dn: cn=vijay s,ou=people,dc=samsung,dc=comobjectClass: inetOrgPersoncn:vijay sheelavantarcn: vijay suid: vijayuserPassword: 123qwesn: sheelavantar
Kindly let me know where I am making mistake...
Warm Regards,VIJAY S.
11 years, 6 months
sudoers: not able to execute commands with sudo
by Naga Chaitanya Palle
Hi,
I have configured sudoers in my environment. But when I try to execute a command using sudo, the commands fails to get executed saying "sysadmin is not in the sudoers file. This incident will be reported."
.
I am using sysadmin account as mentioned in the below sudoers ldif file.
login as: sysadmin
sysadmin(a)10.150.14.144's password:
Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
Could not chdir to home directory /home/sysadmin: No such file or directory
-bash-3.2$ sudo ls
[sudo] password for sysadmin:
sysadmin is not in the sudoers file. This incident will be reported.
-bash-3.2$ sudo -V
Sudo version 1.7.2p1
-bash-3.2$ sudo -l
[sudo] password for sysadmin:
Sorry, user sysadmin may not run sudo on devonly144.
-bash-3.2
On Server the sudoers file is
/etc/openldap/slapd.conf
include /usr/share/openldap2.4/schema/sudo.schema
index sudoUser eq
/etc/openldap/ldap.conf
sudoers_base ou=SUDOers,dc=comverse-in,dc=com
sudoers.ldif
# SUDOers, comverse-in.com
dn: ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: syslog=auth
dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoUser: sysadmin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: operator
sudoUser: operator
sudoHost: ALL
sudoCommand: /usr/sbin/dump
sudoCommand: /usr/sbin/rdump
sudoCommand: /usr/sbin/restore
sudoCommand: /usr/sbin/rrestore
sudoCommand: /usr/bin/mt
sudoCommand: /usr/bin/kill
sudoCommand: /usr/sbin/shutdown
sudoCommand: /usr/sbin/halt
sudoCommand: /usr/sbin/reboot
sudoCommand: /usr/sbin/lpc
sudoCommand: /usr/bin/lprm
sudoCommand: sudoedit /etc/printcap
sudoCommand: /usr/oper/bin/
dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: ALL
sudoUser: ALL
sudoHost: orion
sudoCommand: /sbin/umount /CDROM
sudoCommand: /sbin/mount -o nosuid\
sudoCommand: nodev /dev/cd0a /CDROM
sudoOption: !authenticate
On client:
/etc/ldap.conf
sudoers_base ou=SUDOers,dc=comverse-in,dc=com
nss_base_passwd ou=People,dc=comverse-in,dc=com?one
nss_base_shadow ou=People,dc=comverse-in,dc=com?one
nss_base_group ou=Group,dc=comverse-in,dc=com?one
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_nologin.so
account include system-auth
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password include system-auth
password sufficient pam_ldap.so
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session sufficient pam_ldap.so
session required pam_stack.so service=system-auth
session optional pam_console.so
session required /lib/security/pam_limits.so
/etc/nsswitch.conf
passwd: ldap files
shadow: ldap files
group: ldap files
Thanks and Regards,
Naga Chaitanya
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
11 years, 6 months
Syncrepl over TLS for mirrormode
by Daniel Qian
From the openldap website the two nodes have to use different URLs like
below:
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
and
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
I can set two different certificates so that TLS is fine for sync
between the two nodes. However we will have regular Ldap client access
these two nodes behind a loadbalancer over TLS too. Obviously the client
can't connect with ldap-sid2.example.com, nor with
ldap-sid1.example.com. So what is the solution to this scenario? Setup a
pool of consumers with same hostname?
Thanks,
Daniel
11 years, 6 months
How to delete LDAP Data base bdb
by vijay s sheelavantar
Hello Friends,
Please let me know how to delete/flush complete LDAP database ? I tried deleting all files from /var/openldap-data. but still top level data base attributes remains.
initially I had set shadowExpire,shadowFlag etc, I want to remove all these.
Kindly help me to build my new database.
LDAP server log for your reference.
ber_dump: buf=0x9a0ba80 ptr=0x9a0bab5 end=0x9a0bb3d len=136 0000: 00 81 85 04 04 68 6f 73 74 04 11 61 75 74 68 6f .....host..autho 0010: 72 69 7a 65 64 53 65 72 76 69 63 65 04 0c 73 68 rizedService..sh 0020: 61 64 6f 77 45 78 70 69 72 65 04 0a 73 68 61 64 adowExpire..shad 0030: 6f 77 46 6c 61 67 04 0e 73 68 61 64 6f 77 49 6e owFlag..shadowIn 0040: 61 63 74 69 76 65 04 10 73 68 61 64 6f 77 4c 61 active..shadowLa 0050: 73 74 43 68 61 6e 67 65 04 09 73 68 61 64 6f 77 stChange..shadow 0060: 4d 61 78 04 09 73 68 61 64 6f 77 4d 69 6e 04 0d Max..shadowMin.. 0070: 73 68 61 64 6f 77 57 61 72 6e 69 6e 67 04 09 75 shadowWarning..u 0080: 69 64 4e 75 6d 62 65 72 idNumber
Thanks and Regards,Vijay S.
11 years, 6 months
