August 2011 - openldap-technical

by Washington, Andrea

I recently installed version openldap-2.4.23 on one of our Degreeworks servers as root. During the ./configure piece, I had to disable slapd because it complained about a BDB database. Every installation step after the configure piece, completed without a problem. I am uncertain how openldap is being utilized by the Degreeworks software but I think something may be wrong with the setup or configuration files. Did slapd need to be installed and what do I do about the BDB issue. I am trying to get single sign-on via Luminis to Degreeworks. The logins for luminis and degreeworks are not the same. Any help would be appreciated on setting up openldap to work properly with Degreeworks. Thanks in advance for your time. Andrea Washington

12 years, 1 month

4
6
0 / 0

Re: Assigning Groups to LDAP users

by pradyumna dash

Hi, I have create 2 groups and modified the ldap.conf file in the client as below nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one >From the client when i run getent i can see my groups and users, but when i login to a user and try id it shows me the primary group not the secondary groups i have added. I am using SLES 11 SP1. Regards, Pradyumna 2011/8/15 Dmitriy Kirhlarov <dimma(a)higis.ru> > please, keep a list address in the Cc. > > WNBR > > > On 08/14/2011 04:20 PM, pradyumna dash wrote: > >> Thank you so much. >> >> I will try it this week and get back to you in case of any issues. >> >> Thanks for your time. >> >> Regards, >> Pradyumna >> >> 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru <mailto:dimma@higis.ru>> >> >> >> >> >> On 08/14/2011 03:18 PM, pradyumna dash wrote: >> >> Hi, >> >> Thank you so much. I have never worked a lot on nss_ldap so >> asking some >> basic questions. >> >> As per you said you guys are running the same in your env. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> first project groups: >> cn=group1,ou=project1,o=____**company >> cn=group2,ou=project1,o=____**company >> >> -- Do i need to create separate OU's for different groups? >> >> >> Up to you. >> >> You need some "separator" between projects. It can be branch in the >> tree, or scope "base" in filter configuration from nss_ldap.conf file. >> >> We are prefer branches. It's more readable, when you have many >> groups and many projects. >> >> >> second project groups: >> cn=group1,ou=project2,o=____**company >> cn=group2,ou=project2,o=____**company >> -- How i can specify the users who are a part of which group? >> >> >> cn=group1,ou=project1,o=__**company >> objectClass: posixGroup >> cn: group1 >> gidNumber: 1000 >> description: project1 admin group >> memberUid: user1 >> memberUid: user2 >> memberUid: user3 >> >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> --The syntax in the conf file will be like above ?? Because i >> have never >> used ?sub and ?one >> >> >> It's URI (http://en.wikipedia.org/wiki/**__URI_scheme<http://en.wikipedia.org/wiki/__URI_scheme> >> <http://en.wikipedia.org/wiki/**URI_scheme<http://en.wikipedia.org/wiki/URI_scheme>>) >> syntax. >> You should to write second part of URI (after connection >> description) with base, scope and filter. >> >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> Also if you can help, am trying "pwdReset" for my ldap users, in >> the >> ppolicy.schema file i have uncommented this attribute but not >> able to >> load the schema, if you can give me some pointers would be >> appreciated. >> What i want is when firsttime any user logs in he will asked >> to change >> his password. >> >> >> 1. try to start slapd with "-d config" >> 2. take a look to >> http://www.zytrax.com/books/__**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html> >> <http://www.zytrax.com/books/**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/ldap/ch6/ppolicy.html> >> > >> >> WBR >> >> >> Regards, >> Neo >> >> I am not a expert in OpenLDAP so please help me. >> 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru >> <mailto:dimma@higis.ru> <mailto:dimma@higis.ru >> >> <mailto:dimma@higis.ru>>> >> >> >> Hi. >> >> >> On 08/12/2011 07:40 PM, Buchan Milne wrote: >> >> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote: >> >> Guys, >> >> I have a query, lets take a scenario : >> >> Assume we have 2 servers "Server1" and "Server2" and 2 >> groups "Admin" and >> "ITTech", What is needed is like say when a user "bob" logging >> in to "Server1" he will get the group "Admin", but >> when he >> logs in to >> "Server2" he will get group "ITTech". Also it may vary for >> different users >> like when "Kris" logs in to Server1 he may get a group >> called "ITTech" and >> when he logs in to "Server2" he will get some other >> group >> say "Security". >> Can it be possible by OpenLDAP ? >> >> >> IMHO, this is a bad idea. It will specifically be >> problematic if >> you have any >> files shared/replicated/backed up between servers (e.g. >> via NFS). >> >> >> We are using this functionality without any problems. :) >> This is feature of nss_ldap. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> >> first project groups: >> cn=group1,ou=project1,o=____**company >> cn=group2,ou=project1,o=____**company >> >> second project groups: >> cn=group1,ou=project2,o=____**company >> cn=group2,ou=project2,o=____**company >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> >> WBR >> >> >> If this is achieved then we are planning >> to have SUDO files based on the grooups. >> >> >> It would be much more effective to have your sudo rules >> in LDAP, >> and apply a >> rule to a set of users/groups to a collection/netgroup >> of hosts. >> >> Regards, >> Buchan >> >> >> >> >>

12 years, 1 month

2
3
0 / 0

Kudos to OpenLDAP developers

by Brent Bice

After skimming my OpenLDAP email and seeing a few snide comments about OpenLDAP and/or documentation, I felt compelled to post a thank-you to all the folks working on OpenLDAP. Our LDAP needs have been uber-simple until recently but OpenLDAP has been rock solid and just worked without complaint, failures, or replication problems. I recently had to setup a fancier set of LDAP servers for doing authentication/authorization for giant clusters of servers, so for the first time I found myself needing other overlays like accesslog and ppolicy and although I had to spend a bit of time RTFM'ing (oh no, not that! - grin) I found them like my previous experience with OpenLDAP - they just worked. And other than needing to start slapd with a larger max number of File descriptors to handle thousands of clients all suddenly connecting and doing queries simultaneously (slaps forehead - I shoulda expected this), we've had no problems. So to everyone who's spent late nights 'n weekends digging through the source code looking for bugs, or adding new overlays, thanks. It's appreciated... Brent

12 years, 1 month

1
0
0 / 0

provider crash on high replication load

by Marc Patermann

Hi, I have the following problem: On a sycrepl provider I have lots (100+) consumers in refresh and persist mode. After upgrading the provider from 2.3.x to 2.4.25 I can crash the server by a single mod on the root object of one database. Aug 15 14:18:37 trzs721boot kernel: [544888.798212] slapd[2861]: segfault at 0 ip 00007fbf89494522 sp 00007fbe8cfa7ca0 error 4 in slapd[7fbf8942c000+1b6000] I reproduced this on a test system, even with 2.4.26. The consumer are ldapsearch clients like this "-E!sync=rp/rid=xxx,csn= * +" on a single 2.4.25 machine. All SLES 11 SP1 64bit. Here is the gbd output. http://pastebin.com/6y83ZjqX I tried to create a core dump, but I could not get it work. I used this howto. The "top" example works, I get a core file for user ldap. With slapd it is not. Why does slapd crash here? Marc

12 years, 1 month

3
8
0 / 0

replication

by rocke.robertson＠pch.gc.ca

Good morning list I am having no end of problems trying to setup a delta synchronized replication. One consumer and one provider. Symptoms are as follows: User can authenticate and login using provider. If user changes password, new password does not get replicated to consumer. If password has not changed the user can authenticate and login using the consumer. Provider configuration is as follows: include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema ### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 logfile /var/log/slapd.log # Load dynamic backend modules using this path!!! modulepath /usr/lib/openldap moduleload ppolicy.la moduleload accesslog.la schemacheck on lastmod on access to attrs=userPassword by self write by anonymous auth by * none access to attrs=shadowLastChange by self write by * read access to * by * read ##NOPE access to * by * write # ------------------------------------------------------------------- # # Access log database instance for replication # ------------------------------------------------------------------- # # Accesslog database definitions database bdb suffix cn=accesslog directory /var/lib/db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- # database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin, dc=chin,dc=ca" # rootpw rootpw {SSHA}xxxyyyzzzz directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq # define the default policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited The consumer configuration is as follows: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema ### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 #loglevel -1 #loglevel 16384 logfile /var/log/slapd.log modulepath /usr/lib/openldap # ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- # database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin,dc=chin,dc=ca" directory /var/lib/ldap # ------------------------------------------------------------------- # # Replica configuration instance # ------------------------------------------------------------------- # # syncrepl specific indices index entryUUID eq # syncrepl directives syncrepl rid=0 provider=ldap://ldap bindmethod=simple binddn="uid=replicator,ou=people,dc=chin,dc=ca" #binddn="cn=admin,dc=chin,dc=ca" credentials=xyzyzzz searchbase="dc=chin,dc=ca" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog # Refer updates to the master updateref ldap://ldap Error messages on the consumer is: Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000 mods check (pwdAttribute: value #0 invalid per syntax) Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying Which looks like it is missing a schema. But I can't find a schema that is missing. Log messages on provider showing replicator account activity. Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 ACCEPT from IP=172.16.50.40:45510 (IP=0.0.0.0:389) Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128 Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0 Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 RESULT tag=97 err=0 text= Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)" Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH attr=* + Aug 15 09:29:53 provir009 slapd[27606]: send_search_entry: conn 6736 ber write failed. Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 closed (connection lost on write) Aug 15 09:29:53 provir009 slapd[27606]: connection_read(17): no connection! Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 fd=17 ACCEPT from IP=172.16.50.40:45511 (IP=0.0.0.0:389) Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128 Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0 Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 RESULT tag=97 err=0 text= Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=1 SRCH base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)" I don't know what this means I'm afraid. But intuitively it doesn't look good. Any guidance would be astoundingly great. I am new to ldap so this is a bit of a learning curve. Many thanks Rocke Robertson Gouvernement du Canada | Government of Canada

12 years, 1 month

3
2
0 / 0

aliased objects follow across different suffixes on same server?

by Tyler Gates

Hello, I would like to know if it is possible to have an aliasedobjectname reference an object that is defined in a different database as a different suffix on the same server. I have deref set to always but it doesn't seem to be following the alias as long as it is not on its own suffix. Below is an example of what I am trying to do. suffix1: dc=example,dc=com dn: cn=entry,dc=example,dc=com ... suffix2: dc=example,dc=net dn: cn=entry2,dc=example,dc=net objectClass: alias objectClass: extensibleObject aliasedobjectname: cn=entry,dc=example,dc=com

12 years, 1 month

2
3
0 / 0

Re: Assigning Groups to LDAP users

by Dmitriy Kirhlarov

On 08/14/2011 03:18 PM, pradyumna dash wrote: > Hi, > > Thank you so much. I have never worked a lot on nss_ldap so asking some > basic questions. > > As per you said you guys are running the same in your env. > > ldap: > personals user groups: > ou=groups,o=company > first project groups: > cn=group1,ou=project1,o=__company > cn=group2,ou=project1,o=__company > > -- Do i need to create separate OU's for different groups? Up to you. You need some "separator" between projects. It can be branch in the tree, or scope "base" in filter configuration from nss_ldap.conf file. We are prefer branches. It's more readable, when you have many groups and many projects. > second project groups: > cn=group1,ou=project2,o=__company > cn=group2,ou=project2,o=__company > -- How i can specify the users who are a part of which group? cn=group1,ou=project1,o=company objectClass: posixGroup cn: group1 gidNumber: 1000 description: project1 admin group memberUid: user1 memberUid: user2 memberUid: user3 > "Server1" nss_ldap.conf: > nss_base_group ou=groups,o=company?sub > nss_base_group ou=project1,o=company?one > --The syntax in the conf file will be like above ?? Because i have never > used ?sub and ?one It's URI (http://en.wikipedia.org/wiki/URI_scheme) syntax. You should to write second part of URI (after connection description) with base, scope and filter. > "Server2" nss_ldap.conf: > nss_base_group ou=groups,o=company?sub > nss_base_group ou=project2,o=company?one > > Also if you can help, am trying "pwdReset" for my ldap users, in the > ppolicy.schema file i have uncommented this attribute but not able to > load the schema, if you can give me some pointers would be appreciated. > What i want is when firsttime any user logs in he will asked to change > his password. 1. try to start slapd with "-d config" 2. take a look to http://www.zytrax.com/books/ldap/ch6/ppolicy.html WBR > > Regards, > Neo > > I am not a expert in OpenLDAP so please help me. > 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru <mailto:dimma@higis.ru>> > > Hi. > > > On 08/12/2011 07:40 PM, Buchan Milne wrote: > > On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote: > > Guys, > > I have a query, lets take a scenario : > > Assume we have 2 servers "Server1" and "Server2" and 2 > groups "Admin" and > "ITTech", What is needed is like say when a user "bob" logging > in to "Server1" he will get the group "Admin", but when he > logs in to > "Server2" he will get group "ITTech". Also it may vary for > different users > like when "Kris" logs in to Server1 he may get a group > called "ITTech" and > when he logs in to "Server2" he will get some other group > say "Security". > Can it be possible by OpenLDAP ? > > > IMHO, this is a bad idea. It will specifically be problematic if > you have any > files shared/replicated/backed up between servers (e.g. via NFS). > > > We are using this functionality without any problems. :) > This is feature of nss_ldap. > > ldap: > personals user groups: > ou=groups,o=company > > first project groups: > cn=group1,ou=project1,o=__company > cn=group2,ou=project1,o=__company > > second project groups: > cn=group1,ou=project2,o=__company > cn=group2,ou=project2,o=__company > > "Server1" nss_ldap.conf: > nss_base_group ou=groups,o=company?sub > nss_base_group ou=project1,o=company?one > > "Server2" nss_ldap.conf: > nss_base_group ou=groups,o=company?sub > nss_base_group ou=project2,o=company?one > > > WBR > > > If this is achieved then we are planning > to have SUDO files based on the grooups. > > > It would be much more effective to have your sudo rules in LDAP, > and apply a > rule to a set of users/groups to a collection/netgroup of hosts. > > Regards, > Buchan > > >

12 years, 1 month

1
0
0 / 0

acl confusion in proxy server config

by Ron Peterson

I have a proxy server ('ldap' backend) sitting in front of a master directory. The DNs on my master directory are UUIDs + ou + domain, e.g. myid=1234...89,dc=yada,dc=com. Each object has a (unique) username attrbute. Logging in on the proxy server involves mapping the username to the DN rwm-rewriteMap ldap uid2DN "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub" binddn="uid=..." credentials="xxx" rwm-rewriteContext bindDN rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=zzz" "${uid2DN(myusername=$1)}" ":@I" I would like anyone logging in as themselves to be able to read their own attributes. I'm having trouble doing this. 'Self' doesn't seem to work because of the mapping going on, e.g. access to dn.sub="ou=vpn" by self read by anonymous auth by * non Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com", (read(=rscxd)) Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: * Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop) Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0) Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access denied by none(=0 I think 'self' doesn't match because myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (is my thinking correct on this?) How do I allow a user to read their own attributes in this situation? -Ron-

12 years, 1 month

2
1
0 / 0

Problem with overlay uniqe

by Ruud Baart

I use slapd 2.4.23 (debian package) with some overlays: syncprov, unique and valsort. I have a problem with the unique overlay. This is the unique constraint: olcUniqueURI: ldap://ou=Workstations,ou=Devices,dc=example,dc=com/?uid?sub I try to add a ldif like this: dn: uid=userabc,ou=MozillaAddressBook,ou=Users,dc=example,dc=com objectClass: person ... objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: .. ... uid: userabc ... with ldapadd I get: ldap_add: Constraint violation (19) additional info: some attributes not unique When I remove the unique constraint the ldif file is accepted. It seems to me that something is wrong: the base of olcUniqueURI is different from the base where I try to add a entry. I don't understand this. Is the olcUniqueURI wrong? -- Regards, Ruud Baart

12 years, 1 month

5
8
0 / 0

Re: Group Members

by Michael Ströder

Cc:-ed openldap-technical(a)openldap.org criderkevin(a)aol.com wrote: > Not many users, only about 400-500. I'm thinking just due to our need to > multiple admins needing access to different apps we may want different > branches...but them the Users are duplicated but perhaps in an LDAP world > that's not a no-no. I believe this sort of thing can be controlled by ACL's as > well?...but 1 branch per App seems to be easiest. (woudl you agree?) Yes, you should make yourself familiar with ACLs for achieving degelated administration. > Also, are there decent free LDAP amin gui interface tools anyone would > recommend? I've tried a few that Google search has come up with but thought > I'd ask... There are several with different focus. You should try out yourself and choose the one which fits your needs best. Being the author of web2ldap I'm biased anyway. Ciao, Michael.

12 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2011