openldap-technical September 2011

openldap-technical@openldap.org

101 participants
119 discussions

LDAP and SSL
by criderkevin＠aol.com 26 Sep '11

26 Sep '11

I'm struggling with the need for SSL... We will use our new LDAP for apps. These servers are all locally housed so each app server will talk to the LDAP server over our network. (why) Would we need SSL? What about for mail services? It seems to me that our mail server would also talk directly to the LDAP server...what am I missing here that dictates the use of SSL with LDAP? I could see if one had their LDAP open to be accessible direct access from off-network. Perhaps SSL is used simply as a means to authenitcate? Kevin

7 8

JLDAP Search
by criderkevin＠aol.com 26 Sep '11

26 Sep '11

I'm using the example code from the Novell site to perform a Java JLDAP search by uid of my directory. http://developer.novell.com/documentation/samplecode/jldap_sample/index.htm the one called "search.java" My program does this: the main java class prompts the user over and over (it's in a while(true) loop) for search parameters, then executes this search.java method. I'm using this (above) code as is except for the Systems.exit(0). The first time it runs it returns the correct result...but every run after that it returns 0 results. I have to restart my Java program to get it to return the correct result again. There's no public variables in the way...I'm not sure what could be the issue. I've looked through the LDAPConnection.java and nothing looks looks like anything that would corrupt, clear a cache, or queue, or do anything more than what the disconnect (should) does. Anyone run into this?...or have any ideas? Thanks! Kevin

1 1

Migrating from local LDAP auth to LDAP+kerberos
by Tim Watts 26 Sep '11

26 Sep '11

Hi, I like kerberos - been using it for years at other sites. New job - have LDAP, no kerberos. I'd like to backend the existing LDAP server with kerberos - I have some hope as I've just ready this excellent article: http://www.linux-mag.com/id/4765/ (free registration needed) Traditionally, I would have probably have made LDAP open for browsing (no auth) and adapted PAM on the clients to do auth via kerberos. However, I have a load of apps here that only know how to talk and auth against LDAP. Am I right in thinking: 1) Once LDAP is backended with kerberos, that "LDAP authentication" can take place using either a) plain password via LDAP which auths to kerberos; b) GSSAPI (ie using a client side kerberos ticket from a previous kinit) 2) Can I migrate users piecemeal, eg remove their LDAP psswords one by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved? Please excuse the dumbness - I know kerberos, I am just learning LDAP. Or is this going to have to be a big-bang switchover? Cheers Tim -- Tim Watts Personal Blog: http://www.dionic.net/tim/

2 3

inetUserStatus
by Fred 26 Sep '11

26 Sep '11

Hi all, How to process to extend openldap 2.4.23 schema to get netscape inetUserStatus available in my direcdtory ? I don't find links to download this schema. Best regards, Fred

2 1

OpenLDAP with MySQL backend not working
by Victor LAZA 25 Sep '11

25 Sep '11

Hi all, I am using OpenLDAP with MySQL backend for testing purpose, a future project of linux authentication via LDAP but with MySQL backend. For this I am using 2 virtual machines with the following configurations: Centos 5.6 x86_64 Iptables is off Memory: 1 GB of RAM Packages installed on server: openldap.x86_64 , openldap-servers-sql.x86_64 , openldap-servers.x86_64 , openldap-clients.x86_64 (all are version 2.3.43) , openldap24-libs.x86_64 (version 2.4.23) , mysql-connector-odbc.x86_64 (version 3.51.26r1127 ) Packages installed on client: openldap-clients.x86_64 (version 2.3.43) On the server I have created a user ldap, group ldap and granted him FULL access on ldap_test database After that I imported from /usr/share/doc/openldap-servers-sql-2.3.43/rdbms_depend/mysql/ the files: backsql_create.sql , testdb_create.sql , testdb_data.sql , testdb_metadata.sql into the database ldap_test When I try to ldap search from the CLIENT computer with ldapsearch -x it should show me all the contents in the database tried also with ldapsearch -x -D "cn=admin,dc=example,dc=com" -W still no result In a manual check the data is in the MySQL database, in all tables Can someone provide me some info/ideeas on how to configure it to work? Thank you in advance. Below are all my config files and the output from slapd ############ /etc/odbc.ini ############ ; ; odbc.ini configuration for Connector/ODBC and Connector/ODBC 3.51 drivers ; [ODBC Data Sources] mysql = MySQL 3.51 [mysql] driver = mysql server = localhost port = 3306 database = ldap_test user = ldap password = ldappass socket = /var/lib/mysql/mysql.sock [default] driver = MySQL server = localhost port = 3306 database = ldap_test user = ldap password = ldappass socket = /var/lib/mysql/mysql.sock ########## /etc/odbcinst.ini ########## mysql] driver = /usr/lib64/libmyodbc3.so usagecount = 1 ############ /etc/openldap/slapd.conf ############ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org # Level of LOG loglevel -1 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: #modulepath /usr/lib64/openldap/ # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: moduleload /usr/lib64/openldap/back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # SQL database definitions ####################################################################### database sql suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SHA}28Jb9vUzoK2ufUP85ZVsNUV9kJ4= dbname ldap_test dbuser ldap dbpasswd ldappass at_query "SELECT name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_r eturn FROM `ldap_test`.`ldap_attr_mappings` WHERE oc_map_id=?" oc_query "SELECT id,name,keytbl,keycol,create_proc,delete_proc,expect_return FROM `ldap_test`.`ldap_oc_mappings`" insentry_query "INSERT INTO `ldap_test`.`ldap_entries` (id,dn,oc_map_id,parent,keyval) values ((select max(id)+1 from `ldap_test`.`ldap_entries`),?,?,?,?)" id_query "SELECT id,keyval,oc_map_id,dn FROM `ldap_test`.`ldap_entries` WHERE dn=?" ######### /etc/openldap/ldap.conf ######### # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://192.168.200.128/ BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts Slapd -d -1 output when in do a ldapsearch -x -D "cn=admin,dc=example,dc=com" -W ##### daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy >>> slap_listener(ldap:///) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: listen=7, new connection on 8 daemon: added 8r (active) listener=(nil) conn=0 fd=8 ACCEPT from IP=192.168.200.131:50069 (IP=0.0.0.0:389) daemon: activity on 2 descriptors daemon: activity on: 8r daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read active on 8 daemon: epoll: listen=7 active_threads=0 tvp=NULL connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 2e 02 01 01 60 29 02 0....`). ldap_read: want=40, got=40 0000: 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c 64 63 3d ....cn=admin,dc= 0010: 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 80 08 example,dc=com.. 0020: 61 6c 66 61 62 65 74 61 alfabeta ber_get_next: tag 0x30 len 46 contents: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cb0 end=0x2b23ef734cde len=46 0000: 02 01 01 60 29 02 01 03 04 1a 63 6e 3d 61 64 6d ...`).....cn=adm 0010: 69 6e 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 in,dc=example,dc 0020: 3d 63 6f 6d 80 08 61 6c 66 61 62 65 74 61 =com..alfabeta ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cb3 end=0x2b23ef734cde len=43 0000: 60 29 02 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c `).....cn=admin, 0010: 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co 0020: 6d 80 08 61 6c 66 61 62 65 74 61 m..alfabeta ber_scanf fmt (m}) ber: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cd4 end=0x2b23ef734cde len=10 0000: 00 08 61 6c 66 61 62 65 74 61 ..alfabeta >>> dnPrettyNormal: <cn=admin,dc=example,dc=com> => ldap_bv2dn(cn=admin,dc=example,dc=com,0) <= ldap_bv2dn(cn=admin,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128 daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128 ==>backsql_bind() <==backsql_bind() root bind conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com" send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=0 op=0 RESULT tag=97 err=0 text= daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read active on 8 daemon: epoll: listen=7 active_threads=0 tvp=NULL connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 36 02 01 02 63 31 04 06...c1. ldap_read: want=48, got=48 0000: 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 .dc=example,dc=c 0010: 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 om.............. 0020: 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 ...objectclass0. ber_get_next: tag 0x30 len 54 contents: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cb0 end=0x2b23ef734ce6 len=54 0000: 02 01 02 63 31 04 11 64 63 3d 65 78 61 6d 70 6c ...c1..dc=exampl 0010: 65 2c 64 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 e,dc=com........ 0020: 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 .........objectc 0030: 6c 61 73 73 30 00 lass0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable do_search daemon: activity on 1 descriptor ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cb3 end=0x2b23ef734ce6 len=51 0000: 63 31 04 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 c1..dc=example,d 0010: 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 c=com........... 0020: 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 ......objectclas 0030: 73 30 00 s0. >>> dnPrettyNormal: <dc=example,dc=com> => ldap_bv2dn(dc=example,dc=com,0) <= ldap_bv2dn(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL SRCH "dc=example,dc=com" 2 0 0 0 0 begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734cd7 end=0x2b23ef734ce6 len=15 0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 ..objectclass0. end get_filter 0 filter: (objectClass=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x2b23ef734cb0 ptr=0x2b23ef734ce4 end=0x2b23ef734ce6 len=2 0000: 00 00 .. attrs: conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ==>backsql_search(): base="dc=example,dc=com", filter="(objectClass=*)", scope=2, deref=0, attrsonly=0, attributes to load: all ==>backsql_get_db_conn() ==>backsql_open_db_conn(0) <==backsql_open_db_conn(0) backsql_open_db_conn(0): connected, adding to tree. <==backsql_get_db_conn() ==>backsql_dn2id("dc=example,dc=com") matched expected backsql_dn2id("dc=example,dc=com"): id_query "SELECT id,keyval,oc_map_id,dn FROM `ldap_test`.`ldap_entries` WHERE dn=?" backsql_dn2id("dc=example,dc=com"): upperdn="MOC=CD,ELPMAXE=CD" <==backsql_dn2id("dc=example,dc=com"): err=32 send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=32 matched="" text="" send_ldap_response: msgid=2 tag=101 err=32 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... conn=0 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= daemon: activity on 1 descriptor <==backsql_search() daemon: activity on: 8r daemon: read active on 8 daemon: epoll: listen=7 active_threads=0 tvp=NULL connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x2b23ef5e0ba0 ptr=0x2b23ef5e0ba0 end=0x2b23ef5e0ba5 len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 8 failed errno=0 (Success) connection_read(8): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=8 for close daemon: activity on 1 descriptor connection_close: deferring conn=0 sd=8 daemon: activity on: do_unbind daemon: epoll: listen=7 active_threads=0 tvp=NULL conn=0 op=2 UNBIND connection_resched: attempting closing conn=0 sd=8 connection_close: conn=0 sd=8 ==>backsql_connection_destroy() ==>backsql_free_db_conn() backsql_free_db_conn(): closing db connection 0 (0x2b23ef754530) ==>backsql_close_db_conn(0) <==backsql_close_db_conn(0) <==backsql_free_db_conn() <==backsql_connection_destroy() daemon: removing 8 conn=0 fd=8 closed

2 4

Not able to run OpenLDAP in SLES11
by pradyumna dash 24 Sep '11

24 Sep '11

Hi, I am not able to run OpenLDAP, if am trying to configure it from slapd.conf file. Please find the configuration files as attached. When i run the below command i get the output ldapsearch -x -h 192.168,0.1 -D "cn=Manager,dc=example,dc=com" -b "dc=example,dc=com" -W but when i try either ldapsearch -x or ldapsearch -x -h 192.168.0.1 -b "cn=Manager,dc=example,dc=com" it shows : base <cn=Manager,dc=example,dc=com> with scope subtree filter: (objectclass=*) requesting: ALL #search result search: 2 result: 32 No such object #numResponse: 1 OS : SLES 11 SP1 LDAP : 2.4.20-0.4.29 What i have changed is insted of dynamic backend i am trying to use slapd.conf file so i have changed in /etc/sysconfig/openldap file OPENLDAP_CONFIG_BACKEND="files". Please suggest how to solve this. Regards, Neo

3 3

Unable to start slapd, syncrepl error
by William S. 23 Sep '11

23 Sep '11

Oh the wise and mighty of the openLDAP community, I have an issue that I have not been able to understand. Partially because Im an enthusitis, not an expert in the domain. That being said, I've used an openLDAP RPM compiled by one of the fellow *nix admins: http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm desparate enough to try this. I'll eventually use the spec to compile my own RPM. I'm running CentOS 5.7 x86_64 with the latest packages. I was able to successfully install and configure openLDAP but when I attempt to start it with MIrrorMode, it will not start. I ran slaptest to figure out where it's hanging up on: [root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf /etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before syncrepl may be used slaptest2.4: bad configuration file! Any suggestions why it continues to complain about rootDN? I have it specified and if slapd is going through the lines, it should have picked up the rootdn before syncrepl. Thoughts? Here is my slapd.conf: include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema #include /usr/share/openldap2.4/schema/rfc822-MailMember.schema #include /usr/share/openldap2.4/schema/pilot.schema #include /usr/share/openldap2.4/schema/qmail.schema #include /usr/share/openldap2.4/schema/mull.schema #include /usr/share/openldap2.4/schema/netscape-profile.schema #include /usr/share/openldap2.4/schema/trust.schema include /etc/openldap2.4/schema/local.schema include /etc/openldap2.4/slapd.access.conf access to dn.subtree="dc=domain,dc=pvt" by group="cn=Replicator,ou=Group,dc=domain,dc=pvt" by users read by anonymous read pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args modulepath /usr/lib64/openldap2.4 # database backend modules available: #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_meta.la moduleload back_monitor.la #moduleload back_passwd.la #moduleload back_sql.la # overlay modules available: #moduleload accesslog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload glue.la #moduleload lastmod.la #moduleload pcache.la #moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la moduleload syncprov.la #moduleload translucent.la #moduleload unique.la #contrib overlays #moduleload smbk5pwd.so # SASL config #sasl-host ldap.domain.com # To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem # and uncomment the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/pki/tls/private/ldap.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem #TLSCACertificatePath /etc/ssl/openldap2.4/ #TLSCACertificateFile /etc/ssl/cacert.pem TLSCACertificateFile /etc/pki/tls/private/ldap.pem #TLSVerifyClient never # ([never]|allow|try|demand) # logging #loglevel 256 ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=domain,dc=pvt" #suffix "o=My Organization Name,c=US" rootdn "cn=Manager,dc=domain,dc=pvt" #rootdn "cn=Manager,o=My Organization Name,c=US" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}[NeeeNer NeeeNer NeeeNer] # The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap2.4 # Tuning settings, please see the man page for slapd-bdb for more information # as well as the DB_CONFIG file in the database directory # commented entries are at their defaults # In-memory cache size in entries #cachesize 1000 # Checkpoint the bdb database after 256kb of writes or 5 minutes have passed # since the last checkpoint checkpoint 256 5 # Indices to maintain index objectClass eq # persion-type searches index cn,mail,surname,givenname eq,subinitial # nss_ldap exact searches: index uidNumber,gidNumber,memberuid,member,uniqueMember eq # username completion via nss_ldap needs uid indexed sub: index uid eq,subinitial # samba: index sambaSID,sambaDomainName,displayName eq # autofs: #index nisMapName eq # bind sdb_ldap: #index zoneName,relativeDomainName eq # sudo index sudoUser eq # syncprov #index entryCSN,entryUUID eq limits group="cn=Replicator,ou=Group,dc=domain,dc=pvt" size=unlimited time=unlimited database monitor overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100 syncrepl rid=000 provider=ldap://ldap1.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1 syncrepl rid=001 provider=ldap://ldap2.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1 mirrormode TRUE serverID 1

2 1

Schema question... userPassword doesn't work
by John Tobin 23 Sep '11

23 Sep '11

To the ldap forum: I have loaded suse 12.1 m5. I have setup an openldap server, which was the main mission of this machine, and it works. It has ssl /tls, certificates are loaded, that works. I used ldap client to setup the ldap browser and that works also. This is the new 2.4.26 server, which has some rather major changes in how ldap is setup. After about 2 weeks I have that under control. My little domain is setup on dark.net [dc=dark,dc=net]. I used ldapadd to put in the administrator, and I have used ldapsearch to list the subschema. I took the default schema. The list of the subschema includes everything I would like to use. Now I want to go about the real business of defining users. I have reviewed a number of pages to ensure I am doing what appears to be the correct procedure, for instance : http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html Which lists: File: fratbrother.ldif dn: cn=fratbrother,o=delta cn: fratbrother sn: fratbrother objectclass: top objectclass: person userPassword: fratsecret ldapadd -f fratbrother.ldif -cxv -D "cn=DeanWormer,o=delta" -w secret2 And other similar updates. But on my machine I create something simple like: File : dark.ldif dn: cn=jctobin,dc=dark,dc=net cn: jctobin userPassword: Hello1$ Ldapadd -x -D ³cn=admin,dc=dark,dc=net² -W -f dark.ldif Enter LDAP Password: Adding new entry ³cn=jctobin,dc=dark,dc=net² Ldap_add: Object class violation (65) Additional info: no objectClass attribute Obviously my ldap server does not like the ³userPassword² class. I have not been able to use any of the other classes I would like to either [ou: (organizational Unit), uid (unix term for a number corresponding to the user id), etc.] What have I not setup correctly? I need to get these users up and running. What can you do for me? Sincerely, Tob

2 1

Tutorial to make an overlay‏?
by Johan Jakus 23 Sep '11

23 Sep '11

Hello everyone, I'm Johan and I am in the final year of my studies in industrial engineering. For my stage, I've been asked to make an overlay for an OpenLDAP server. But, I can't find any documentation on how to make an overlay, could someone please redirect me to a tutorial or something likewise? I would really appreciate it! Thanks! Best regards, Johan

2 1

rwm + cn=config
by Frava 23 Sep '11

23 Sep '11

Hello, I use the rwm overlay to forward the authentication of some users to the general ldap replicas of my corp. Part of slapd.conf : ########################### ... overlay rwm rwm-rewriteEngine on rwm-rewriteContext bindDN rwm-rewriteMap ldap mysearch "ldap:// ldap.example.com:389/ou=users,dc=example,dc=com?dn?sub" rwm-rewriteRule "^uid=([^,]+),ou=people,dc=[^,]+,dc=example,dc=com$" "${mysearch((&(objectClass=posixAccount)(uid=$1)))}" ":@I" database ldap suffix "ou=users,dc=example,dc=com" uri "ldap://ldap.example.com:389/" restrict read write extended database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw mypassword directory /var/db/openldap-data/mydb ... ############################ Now I converted the 'slapd.conf' to 'cn=config' with slaptest, the remote authentication stopped working; and looking at cn=config, all the rules are there... Any Ideas ? Rafael NAVAZA.

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2011