schema question
by John Tobin
To the ldap forum:
I have loaded suse 12.1 m5.
I have setup an openldap server, which was the main mission of this machine, and it works.
It has ssl /tls, certificates are loaded, that works.
I used ldap client to setup the ldap browser and that works also.
This is the new 2.4.26 server, which has some rather major changes in how ldap is setup. After about 2 weeks I have that under control.
My little domain is setup on dark.net [dc=dark,dc=net].
I used ldapadd to put in the administrator, and I have used ldapsearch to list the subschema. I took the default schema. The list of the subschema includes everything I would like to use.
Now I want to go about the real business of defining users.
I have reviewed a number of pages to ensure I am doing what appears to be the correct procedure, for instance :
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
Which lists:
File: fratbrother.ldif
dn: cn=fratbrother,o=delta
cn: fratbrother
sn: fratbrother
objectclass: top
objectclass: person
userPassword: fratsecret
ldapadd -f fratbrother.ldif -cxv -D "cn=DeanWormer,o=delta" -w secret2
And other similar updates.
But on my machine I create something simple like:
File : dark.ldif
dn: cn=jctobin,dc=dark,dc=net
cn: jctobin
userPassword: Hello1$
Ldapadd -x -D “cn=admin,dc=dark,dc=net” -W -f dark.ldif
Enter LDAP Password:
Adding new entry “cn=jctobin,dc=dark,dc=net”
Ldap_add: Object class violation (65)
Additional info: no objectClass attribute
Obviously my ldap server does not like the “userPassword” class.
I have not been able to use any of the other classes I would like to either [ou: (organizational Unit), uid (unix term for a number corresponding to the user id), etc.]
What have I not setup correctly?
I need to get these users up and running.
tob
9 years, 6 months
migrating from (old) /etc/shadow to LDAP
by Gerardo Herzig
Hi all. Im migrating the /etc/shadow accounts to an LDAP enviroment.
As the /etc/shadow containing server has suffered several upgrades,
there is more than one crypto mechanism applied.
Some entries are in the form $2a$10$..... this is an {CRYPT} entry, and
have no problems with that.
Others (the oldest ones) doesn't seem to have a prefix at all. There are
"short" strings like
bHwTgdCTnfpco
lJvWLr8sfW.Hg
and so on...
I tried with {MD5}, {SHA} + encrypted password with no luck.
Any one knows which crypto mechanism is applied here? I think they are
from an old Suse 9.1 (not the Enterprise Server Edition, the realy old
SuSE 9.1)
Thanks!
Gerardo
9 years, 6 months
Re: migrating from (old) /etc/shadow to LDAP
by Juergen.Sprenger@swisscom.com
Hi Gerardo,
the 'short strings' You mentioned are 13-character DES password hashes.
For security reasons they should not be used anymore if possible.
Putting {crypt} in front of them should be sufficient for conversion.
Normalizing the passwords might become difficult if only their DES hashes are available.
Especially in a heterogenous environment using simple authentication together with
ssl/tls will prevent some trouble.
In that case OpenLDAP will take care of the crypto algorithm, creation of
password hashes and so on while clients just send plaintext passwords
over an encrypted ssl/tls connection to the LDAP server.
This will also prevent trouble if there is no common algorithm supported by
all OS flavors and releases in Your environment which use LDAP for authentication.
Regards
Juergen
9 years, 6 months
MirrorMode sync only happening in one direction
by Daniel Qian
The problem direction has the same syncrepl configuration as the working
one except for the rid and provider name:
olcSyncrepl: {0}
rid=102 provider="ldap://server2.prod:389/"
type=refreshAndPersist
retry="60 30 300 +"
keepalive=1200:10:3
searchbase="dc=mydomain,dc=com"
bindmethod=simple
binddn="cn=replica,dc=mydomain,dc=com"
credentials=xxxxxx
starttls=critical
tls_cacert="/etc/pki/CA/cacert.pem"
On the consumer side I am seeing these messages:
Sep 22 22:02:02 ldaprov1 slapd[15466]: do_syncrep2: rid=102 got search
entry without Sync State control
Sep 22 22:02:02 ldaprov1 slapd[15466]: do_syncrepl: rid=102 rc -1
retrying (29 retries left)
and on the provider side I am seeing these:
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 ACCEPT from
IP=10.10.2.103:35671 (IP=0.0.0.0:389)
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 STARTTLS
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 RESULT oid= err=0
text=
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 TLS established
tls_ssf=256 ssf=256
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 BIND
dn="cn=replica,dc=mydomain,dc=com" method=128
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 BIND
dn="cn=replica,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 RESULT tag=97
err=0 text=
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SRCH
base="dc=mydomain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SRCH attr=* +
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SEARCH RESULT
tag=101 err=0 nentries=22 text=
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=3 UNBIND
Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 closed
Sep 22 18:02:36 localhost slapd[20718]: connection_read(21): no connection!
Sep 22 18:02:36 localhost slapd[20718]: connection_read(21): no connection!
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 ACCEPT from
IP=10.10.2.103:35672 (IP=0.0.0.0:389)
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 STARTTLS
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 RESULT oid= err=0
text=
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 TLS established
tls_ssf=256 ssf=256
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 BIND
dn="cn=replica,dc=mydomain,dc=com" method=128
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 BIND
dn="cn=replica,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 RESULT tag=97
err=0 text=
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SRCH
base="dc=mydomain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SRCH attr=* +
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SEARCH RESULT
tag=101 err=0 nentries=22 text=
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=3 UNBIND
Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 closed
Sep 22 18:03:37 localhost slapd[20718]: connection_read(21): no connection!
Sep 22 18:03:37 localhost slapd[20718]: connection_read(21): no connection!
The sync connection is supposed to be persistent but it keeps closing
down and reconnecting.
Anyone know what could be the reason?
Thanks,
Daniel
9 years, 6 months
Newbie here
by brown wrap
I have downloaded and installed OpenLDAP from www.sunfreeware.com. I have also installed the required supporting software. I know nothing about OpenLDAP. This is my first exposure. It will be on a test setup, running on old SPARCstations. I have settup the conf file, started slapd and it returns to the the prompt. Adding the debug flag shows its complaining about Berkley DB. Has someone here made a similar setup? I don't have access to the machine at this point. Its not connected to the net. I was just wondering if someone else had a like install. Thanks.
9 years, 6 months
virtually merging objects under a single DIT
by Perrin, David
I'm hoping to support an administrator of an application who would like
to authenticate users that may exist in one of multiple LDAP sources.
The application can provide a single base DN, username, and password.
I can get close by using database ldap and rwm to rewrite the base of
multiple sources to a common one:
ou=DC Users 1,dc=proxy,dc=myorg,dc=org
ou=DC Users 2,dc=proxy,dc=myorg,dc=org
But I'd like to go a step further and present user objects from both
sources under a single suffix point like:
ou=DC Users 1 and 2,dc=proxy,dc=myorg,dc=org.
Is there a way to virtually merge / flatten the structure from multiple
sources?
Thank you,
Dave
9 years, 6 months
ldappasswd -T
by David Dumortier
Hello,
I tried to set a password with the -T option.
It failed so I tried -d 11 to see the dump in hexa.
I discovered that a 0xa is append to the password.
Is it a bug ? if so please confirm I will open a bugreport.
Version : squeeze/debian
--
David Dumortier
9 years, 6 months
slapo-pcache and multiple hits won't cache
by turbo@bayour.com
I'm using slapd-meta to merge a proxied AD (proxy is OL running on
'hidden' port) with a external OL server (running on separate host).
The meta seems to work, using '(uid=kpxb140)' (which is my UNIX account
name at work) gives me two results, one from the AD and one from the
external OL server. This is verified, because the objects look
different
(and comparing them with the 'original' source verifies this as well).
But on top (tail) of that, I'm using pcache...
The afformentioned search gives:
QUERY NOT ANSWERABLE
QUERY CACHEABLE
each time (i.e., it doesn't actually write to the cache). A modified
search
'(&(objectClass=account)(uid=kpxb140))'
or
'(&(objectClass=person)(uid=kpxb140))'
gives only ONE hit (the first from the OL server, the second from AD).
This time I get the correct behaviour - it is cached into BDB...
Is this expected behaviour or a bug? If the latter, ITS# and expected
fix?
9 years, 6 months
ldap && rwm && pcache && transparent
by Turbo Fredriksson
I'm trying to proxy an AD and an OpenLDAP server on a
separate machine to get a 'combined' view.
First problem (or the primary one?) is that the DN doesn't
match.
AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld
OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld
We have absolutely no write/modify access to the AD (we
barely got search/compare access to parts of the AD!
And the OL server... There's way to much work to modify
(as in massaging the DB and reload it) that (at the moment).
It's also running 2.3 at the moment, and we don't want to
upgrade that any time soon.
The theory is/was to:
1. Setup a LDAP/META proxy to the AD to act as the
'local' DB.
2. Rewrite the AD DNs to match the OL DB
3. Cache some common queries
4. Glue the OL DB with the AD DB, the OL acting as
the 'remote' DB.
Unfortunately, I can't get step four to work. Any queries
seem to loop to the localhost.
I guess I could use rwm on the OL server to massage the
DN (before it's presented to clients and the proxy), but
I much rather do any rewrite etc on my new proxy server
if possible.
OR
Setup a second OL server on the current OL server, but
on a different port (hidden), which proxies the main
OL and rewrites the DN to match the AD. This hidden server
could then be proxied by the new LDAP proxy, cached etc...
But either of the alternative solution isn't pretty :).
I'll have to maintain and support THREE LDAP servers
(one DB and two proxies), which seems a little to much
work.
And besides, the OL have all the UNIX (posixAccount etc)
stuff (only), with very few users (most of the organization
don't need UNIX accounts) and most of the clients is configured
to use that when searching etc. There's also other reasons
why we would like to keep the OL server layout...
Parts of my slapd.conf:
#######################################################################
database ldap
suffix "dc=company,dc=tld"
rootdn "cn=Manager,dc=company,dc=tld"
rootpw "secret"
# ---------------------------------------------------------------------
##### Active Directory Server (will act as LOCAL DB)
uri ldap://ad.company.tld
idassert-bind bindmethod=simple
binddn
="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld"
credentials="Secret1"
mode=none
idassert-authzFrom "*"
# ---------------------------------------------------------------------
#### Rewrite/Remap
# http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7
overlay rwm
rwm-rewriteEngine yes
rwm-normalize-mapped-attrs yes
rwm-map attribute uid sAMAccountName
rwm-map attribute gecos displayName
rwm-map attribute workPhone telephoneNumber
rwm-map attribute address1 streetAddress
rwm-map attribute city l
rwm-map attribute state st
rwm-map attribute zip postalCode
rwm-map attribute country co
rwm-map attribute c country
rwm-map attribute distinguishedName entryDN
rwm-map objectclass inetOrgPerson user
rwm-map objectclass groupOfNames group
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)"
"uid=$1ou=People,dc=ORG3,$2" ":@"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
# ---------------------------------------------------------------------
#### Proxy Cache
overlay pcache
pcache hdb 2500 3 1 300
pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName
distinguishedName
pcacheAttrset 1 c physicalDeliveryOfficeName streetAddress mail
pcacheAttrset 2 uid uidNumber gidNumber cn sn givenName
distinguishedName c physicalDeliveryOfficeName streetAddress mail
pcacheTemplate (uid=) 0 3600
pcacheTemplate (cn=) 0 3600
pcacheTemplate (|(uid=)(cn=)) 0 3600
pcacheTemplate (|(cn=)(uid=)) 0 3600
pcacheTemplate (objectClass=) 2 3600
pcacheTemplate (|(objectClass=)(cn=)) 2 3600
pcacheTemplate (gecos=) 1 3600
pcacheTemplate (&(sn=)(givenName=)) 1 3600
cachesize 20
directory /usr/local/turbo/var/openldap-data
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
# ---------------------------------------------------------------------
#### Translucent Proxy
overlay translucent
translucent_strict yes
#translucent_local
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
#translucent_remote
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
### OpenLDAP Server (will act as REMOTE DB)
uri "ldap://ol.company.tld/"
network-timeout 3
chase-referrals no
acl-bind binddn="cn=Manager,dc=company,dc=tld" credentials="secret"
idassert-bind bindmethod=simple
binddn="cn=Manager,dc=company,dc=tld"
credentials="Secret2"
mode=none
idassert-authzFrom "*"
#######################################################################
Disclaimer: Much of this haven't been optimized yet. I'll
fine tune and tweak stuff once I could get it to work...
--
Life sucks and then you die
9 years, 6 months
slapindex with translucent overlay
by Hugo Monteiro
Hello,
I have recently discovered that i'm not using the indexes i should, in
one translucent overlay database, for the locally stored attributes.
This being a production server, i would like to know if changing index
configuration and running slapindex on that database is enough to
reindex the data.
Regards,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
9 years, 6 months