can't get memberof filter working
by Gerardo Herzig
Hi all. Im having hard time triyng to figure out what is wrong with this
ldap query:
Im triyng to filter a specific user inside a specific group. Like this
/usr/bin/ldapsearch -x -D ".." -w..
-b "o=Work"
"(&(uniquemember=uid=gherzig,ou=People,o=Work)
(memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good.
"(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
all the entries that users is in.
What is wrong?
BTW specifiyng a different basesearch is not an option, i need that base
as it is.
Thanks!!
Gerardo
11 years, 7 months
Group Members
by criderkevin@aol.com
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
Would I be better off with the custom attributes on my Users ou? I also need to consider that we need to provide access to seveal admins for maintenance, so we need to make sure one admin can't change the application access that they shouldn't be. Should we have a seperate branch for each app then???
tia,
Kevin
11 years, 7 months
list of replics
by Dmitriy Kirhlarov
Hi, list.
Our company has some core ldap servers.
Also we have many replicas from this core, all supported by different
persons. I need to get the full list of these replicas.
I supposed to find this information in slapd.log, with "sync" enabled,
but I couldn't find any replica indicators.
Could you please let me know how to find replicas information in slapd.log?
WBR
11 years, 7 months
Read-only Back-SQL
by Worgan, Craig (Craig)
Hi,
I have a little bit of, mainly experimental, experience configuring back-sql to connect to a PostgreSQL database. I have a requirement in front of me to expose a small table of user data in the database to an existing LDAP client. The data in the database is already in the database and managed by another application through the database directly. The LDAP API I am being asked to provide will be read-only. In other words, the data will continue to be managed by the existing management app. I foresee two problems with this approach.
First, since the database table is already populated when the new ldap service is turned on, there is no data in the ldap_entries table. Is there a way to populate ldap_entries after the fact so that the records can be seen by OpenLDAP?
Second, since the data is mastered by another application that goes through SQL directly, is there a way to update the ldap_entries table on the fly to reflect the additions and deletions that occur once the ldap service is up and running?
Right now I am looking at writing a custom procedure to initially populate the ldap_entries table and then triggers to manage the additions and deletions from that point onward. I was just wondering if there was something in back-sql already that might provide a better solution.
We are currently using OpenLDAP 2.4.21.
Thanks,
Craig Worgan
Avaya| System Management Solutions | 250 Sidney Street | Belleville, Ontario Canada K8N 5B7 | (613) 967-5233 | worganc(a)avaya.com<mailto:worganc@avaya.com>
11 years, 7 months
Multi-master setup
by Nocturn
I'm trying to set up a multi-master ldap with openldap on SL/RHEL 6.1 from
the docs here: http://www.openldap.org/doc/admin24/replication.html#N-WayMulti-Master
I created an ldif file with:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: ***
But all attempts to import it fail, both with ldapadd as with slapadd.
I think I may be getting the whole cn=config way of doing things
wrong. Can anyone point me in the right direction?
Thanks
11 years, 7 months
XDAS, SNMP, Auditing, Architecture, Systemrequirement, Replication, Administration - Request
by Kai Pohl
Dear Sir or Madam,
i have some questions about OpenLDAP 2.4.23 or 2.4.26. Does it have a
XDAS interface or implementation possibility of another company? Can it
use SNMP for monitoring/administration? A question of the architecture
of OpenLDAP: Provide it Read-Only/Multi-Read/Write/Multi-Server System?
Where can i find Requirments for the system, on which OpenLDAP should
installed? My last question is about replication, which replicationforms
cann be used, partitioning?
Kind Regards
Kai Pohl
======================================
Kai Pohl
Computer & Competence GmbH, www.cuc.de
Warnstedtstrasse 12-16, D22525 Hamburg
Tel: +49 (0)40 54882 - 163, Fax: -288
CuC ist als "Computer & Competence"
Beratungs- und Vertriebs GmbH beim
Hamburger Amtsgericht im Register B
unter der Nummer 46306 registriert.
Geschäftsführer: Constantin Albrecht
AGB: https://www.cuc.de/AGB.agb.0.html
======================================
11 years, 7 months
Problem in authentication when multiple CA certificates are present
by sachin mishra
LDAP authentication was working fine when I had single CA certificate at my client machine. I was using
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_cacert_file))
to set the path of CA certificate. Now, there are multiple CA certificates in my certificate hosting path. I tried by reading all the files and then assign the first one using the set option above and if it fails, I perform ldap_unbind and then create a fresh
request and set all the options before calling "ldap_start_tls_s". So the steps are:
1. ld = ldap_init()
2. ldap_set_option for number of options including LDAP_OPT_X_TLS_CACERTFILE which points to first file in the directory containing multiple CA certificates
3. ldap_start_tls_s(ld, NULL, NULL)
4. If step 3 is successful continue with normal operation
5. If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input.
Is there anything wrong in this? Is there any better approach for this?
Thanks,
Sachin
11 years, 7 months
Hello, please help build a query for LDAP
by Alexey Shalin
Hello, please help build a query for LDAP, to get a list of accounts whose password has expired
Thank you
-------------------------------------------------------------------------------
С уважением,
Алексей Шалин
Системный Администратор
Отдел системного администрирования
ЗАО "Межбанковский процессинговый центр"
720083, Кыргызская Республика
г. Бишкек, ул. Ауэзова 1/2
тел.: +996 (312) 637738 (вн. 138)
факс: +996 (312) 637748
e-mail: <mailto:a.shalin@ipc.kg> a.shalin(a)ipc.kg
11 years, 7 months
TLS handshake failure
by Daniel Qian
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z
option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept
failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389
-showcerts -state -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The configurations are as follow (same command as above but without the
-Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: 9
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile
cacert.pem ldaprov1.crt
ldaprov1.crt: OK
Anyone can tell me what I am missing here?
Thanks,
Daniel
11 years, 7 months
