openldap-technical September 2011

openldap-technical@openldap.org

101 participants
119 discussions

schema question
by John Tobin 23 Sep '11

23 Sep '11

To the ldap forum: I have loaded suse 12.1 m5. I have setup an openldap server, which was the main mission of this machine, and it works. It has ssl /tls, certificates are loaded, that works. I used ldap client to setup the ldap browser and that works also. This is the new 2.4.26 server, which has some rather major changes in how ldap is setup. After about 2 weeks I have that under control. My little domain is setup on dark.net [dc=dark,dc=net]. I used ldapadd to put in the administrator, and I have used ldapsearch to list the subschema. I took the default schema. The list of the subschema includes everything I would like to use. Now I want to go about the real business of defining users. I have reviewed a number of pages to ensure I am doing what appears to be the correct procedure, for instance : http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html Which lists: File: fratbrother.ldif dn: cn=fratbrother,o=delta cn: fratbrother sn: fratbrother objectclass: top objectclass: person userPassword: fratsecret ldapadd -f fratbrother.ldif -cxv -D "cn=DeanWormer,o=delta" -w secret2 And other similar updates. But on my machine I create something simple like: File : dark.ldif dn: cn=jctobin,dc=dark,dc=net cn: jctobin userPassword: Hello1$ Ldapadd -x -D “cn=admin,dc=dark,dc=net” -W -f dark.ldif Enter LDAP Password: Adding new entry “cn=jctobin,dc=dark,dc=net” Ldap_add: Object class violation (65) Additional info: no objectClass attribute Obviously my ldap server does not like the “userPassword” class. I have not been able to use any of the other classes I would like to either [ou: (organizational Unit), uid (unix term for a number corresponding to the user id), etc.] What have I not setup correctly? I need to get these users up and running. tob

2 1

migrating from (old) /etc/shadow to LDAP
by Gerardo Herzig 23 Sep '11

23 Sep '11

Hi all. Im migrating the /etc/shadow accounts to an LDAP enviroment. As the /etc/shadow containing server has suffered several upgrades, there is more than one crypto mechanism applied. Some entries are in the form $2a$10$..... this is an {CRYPT} entry, and have no problems with that. Others (the oldest ones) doesn't seem to have a prefix at all. There are "short" strings like bHwTgdCTnfpco lJvWLr8sfW.Hg and so on... I tried with {MD5}, {SHA} + encrypted password with no luck. Any one knows which crypto mechanism is applied here? I think they are from an old Suse 9.1 (not the Enterprise Server Edition, the realy old SuSE 9.1) Thanks! Gerardo

5 12

Re: migrating from (old) /etc/shadow to LDAP
by Juergen.Sprenger＠swisscom.com 23 Sep '11

23 Sep '11

Hi Gerardo, the 'short strings' You mentioned are 13-character DES password hashes. For security reasons they should not be used anymore if possible. Putting {crypt} in front of them should be sufficient for conversion. Normalizing the passwords might become difficult if only their DES hashes are available. Especially in a heterogenous environment using simple authentication together with ssl/tls will prevent some trouble. In that case OpenLDAP will take care of the crypto algorithm, creation of password hashes and so on while clients just send plaintext passwords over an encrypted ssl/tls connection to the LDAP server. This will also prevent trouble if there is no common algorithm supported by all OS flavors and releases in Your environment which use LDAP for authentication. Regards Juergen

2 1

MirrorMode sync only happening in one direction
by Daniel Qian 22 Sep '11

22 Sep '11

The problem direction has the same syncrepl configuration as the working one except for the rid and provider name: olcSyncrepl: {0} rid=102 provider="ldap://server2.prod:389/" type=refreshAndPersist retry="60 30 300 +" keepalive=1200:10:3 searchbase="dc=mydomain,dc=com" bindmethod=simple binddn="cn=replica,dc=mydomain,dc=com" credentials=xxxxxx starttls=critical tls_cacert="/etc/pki/CA/cacert.pem" On the consumer side I am seeing these messages: Sep 22 22:02:02 ldaprov1 slapd[15466]: do_syncrep2: rid=102 got search entry without Sync State control Sep 22 22:02:02 ldaprov1 slapd[15466]: do_syncrepl: rid=102 rc -1 retrying (29 retries left) and on the provider side I am seeing these: Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 ACCEPT from IP=10.10.2.103:35671 (IP=0.0.0.0:389) Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 STARTTLS Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=0 RESULT oid= err=0 text= Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 TLS established tls_ssf=256 ssf=256 Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 BIND dn="cn=replica,dc=mydomain,dc=com" method=128 Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 BIND dn="cn=replica,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=1 RESULT tag=97 err=0 text= Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(objectClass=*)" Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SRCH attr=* + Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=2 SEARCH RESULT tag=101 err=0 nentries=22 text= Sep 22 18:02:36 localhost slapd[20718]: conn=1071 op=3 UNBIND Sep 22 18:02:36 localhost slapd[20718]: conn=1071 fd=21 closed Sep 22 18:02:36 localhost slapd[20718]: connection_read(21): no connection! Sep 22 18:02:36 localhost slapd[20718]: connection_read(21): no connection! Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 ACCEPT from IP=10.10.2.103:35672 (IP=0.0.0.0:389) Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 STARTTLS Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=0 RESULT oid= err=0 text= Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 TLS established tls_ssf=256 ssf=256 Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 BIND dn="cn=replica,dc=mydomain,dc=com" method=128 Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 BIND dn="cn=replica,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=1 RESULT tag=97 err=0 text= Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(objectClass=*)" Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SRCH attr=* + Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=2 SEARCH RESULT tag=101 err=0 nentries=22 text= Sep 22 18:03:37 localhost slapd[20718]: conn=1072 op=3 UNBIND Sep 22 18:03:37 localhost slapd[20718]: conn=1072 fd=21 closed Sep 22 18:03:37 localhost slapd[20718]: connection_read(21): no connection! Sep 22 18:03:37 localhost slapd[20718]: connection_read(21): no connection! The sync connection is supposed to be persistent but it keeps closing down and reconnecting. Anyone know what could be the reason? Thanks, Daniel

3 5

Newbie here
by brown wrap 22 Sep '11

22 Sep '11

I have downloaded and installed OpenLDAP from www.sunfreeware.com. I have also installed the required supporting software. I know nothing about OpenLDAP. This is my first exposure. It will be on a test setup, running on old SPARCstations. I have settup the conf file, started slapd and it returns to the the prompt. Adding the debug flag shows its complaining about Berkley DB. Has someone here made a similar setup? I don't have access to the machine at this point. Its not connected to the net. I was just wondering if someone else had a like install. Thanks.

1 0

virtually merging objects under a single DIT
by Perrin, David 22 Sep '11

22 Sep '11

I'm hoping to support an administrator of an application who would like to authenticate users that may exist in one of multiple LDAP sources. The application can provide a single base DN, username, and password. I can get close by using database ldap and rwm to rewrite the base of multiple sources to a common one: ou=DC Users 1,dc=proxy,dc=myorg,dc=org ou=DC Users 2,dc=proxy,dc=myorg,dc=org But I'd like to go a step further and present user objects from both sources under a single suffix point like: ou=DC Users 1 and 2,dc=proxy,dc=myorg,dc=org. Is there a way to virtually merge / flatten the structure from multiple sources? Thank you, Dave

1 1

ldappasswd -T
by David Dumortier 22 Sep '11

22 Sep '11

Hello, I tried to set a password with the -T option. It failed so I tried -d 11 to see the dump in hexa. I discovered that a 0xa is append to the password. Is it a bug ? if so please confirm I will open a bugreport. Version : squeeze/debian -- David Dumortier

3 4

slapo-pcache and multiple hits won't cache
by turbo＠bayour.com 21 Sep '11

21 Sep '11

I'm using slapd-meta to merge a proxied AD (proxy is OL running on 'hidden' port) with a external OL server (running on separate host). The meta seems to work, using '(uid=kpxb140)' (which is my UNIX account name at work) gives me two results, one from the AD and one from the external OL server. This is verified, because the objects look different (and comparing them with the 'original' source verifies this as well). But on top (tail) of that, I'm using pcache... The afformentioned search gives: QUERY NOT ANSWERABLE QUERY CACHEABLE each time (i.e., it doesn't actually write to the cache). A modified search '(&(objectClass=account)(uid=kpxb140))' or '(&(objectClass=person)(uid=kpxb140))' gives only ONE hit (the first from the OL server, the second from AD). This time I get the correct behaviour - it is cached into BDB... Is this expected behaviour or a bug? If the latter, ITS# and expected fix?

2 2

ldap && rwm && pcache && transparent
by Turbo Fredriksson 20 Sep '11

20 Sep '11

I'm trying to proxy an AD and an OpenLDAP server on a separate machine to get a 'combined' view. First problem (or the primary one?) is that the DN doesn't match. AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld We have absolutely no write/modify access to the AD (we barely got search/compare access to parts of the AD! And the OL server... There's way to much work to modify (as in massaging the DB and reload it) that (at the moment). It's also running 2.3 at the moment, and we don't want to upgrade that any time soon. The theory is/was to: 1. Setup a LDAP/META proxy to the AD to act as the 'local' DB. 2. Rewrite the AD DNs to match the OL DB 3. Cache some common queries 4. Glue the OL DB with the AD DB, the OL acting as the 'remote' DB. Unfortunately, I can't get step four to work. Any queries seem to loop to the localhost. I guess I could use rwm on the OL server to massage the DN (before it's presented to clients and the proxy), but I much rather do any rewrite etc on my new proxy server if possible. OR Setup a second OL server on the current OL server, but on a different port (hidden), which proxies the main OL and rewrites the DN to match the AD. This hidden server could then be proxied by the new LDAP proxy, cached etc... But either of the alternative solution isn't pretty :). I'll have to maintain and support THREE LDAP servers (one DB and two proxies), which seems a little to much work. And besides, the OL have all the UNIX (posixAccount etc) stuff (only), with very few users (most of the organization don't need UNIX accounts) and most of the clients is configured to use that when searching etc. There's also other reasons why we would like to keep the OL server layout... Parts of my slapd.conf: ####################################################################### database ldap suffix "dc=company,dc=tld" rootdn "cn=Manager,dc=company,dc=tld" rootpw "secret" # --------------------------------------------------------------------- ##### Active Directory Server (will act as LOCAL DB) uri ldap://ad.company.tld idassert-bind bindmethod=simple binddn ="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld" credentials="Secret1" mode=none idassert-authzFrom "*" # --------------------------------------------------------------------- #### Rewrite/Remap # http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7 overlay rwm rwm-rewriteEngine yes rwm-normalize-mapped-attrs yes rwm-map attribute uid sAMAccountName rwm-map attribute gecos displayName rwm-map attribute workPhone telephoneNumber rwm-map attribute address1 streetAddress rwm-map attribute city l rwm-map attribute state st rwm-map attribute zip postalCode rwm-map attribute country co rwm-map attribute c country rwm-map attribute distinguishedName entryDN rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-rewriteContext searchEntryDN rwm-rewriteRule "cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)" "uid=$1ou=People,dc=ORG3,$2" ":@" rwm-rewriteContext searchAttrDN alias searchEntryDN rwm-rewriteContext matchedDN alias searchEntryDN # --------------------------------------------------------------------- #### Proxy Cache overlay pcache pcache hdb 2500 3 1 300 pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName distinguishedName pcacheAttrset 1 c physicalDeliveryOfficeName streetAddress mail pcacheAttrset 2 uid uidNumber gidNumber cn sn givenName distinguishedName c physicalDeliveryOfficeName streetAddress mail pcacheTemplate (uid=) 0 3600 pcacheTemplate (cn=) 0 3600 pcacheTemplate (|(uid=)(cn=)) 0 3600 pcacheTemplate (|(cn=)(uid=)) 0 3600 pcacheTemplate (objectClass=) 2 3600 pcacheTemplate (|(objectClass=)(cn=)) 2 3600 pcacheTemplate (gecos=) 1 3600 pcacheTemplate (&(sn=)(givenName=)) 1 3600 cachesize 20 directory /usr/local/turbo/var/openldap-data index objectClass eq index cn,sn,uid,mail pres,eq,sub # --------------------------------------------------------------------- #### Translucent Proxy overlay translucent translucent_strict yes #translucent_local uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail #translucent_remote uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail ### OpenLDAP Server (will act as REMOTE DB) uri "ldap://ol.company.tld/" network-timeout 3 chase-referrals no acl-bind binddn="cn=Manager,dc=company,dc=tld" credentials="secret" idassert-bind bindmethod=simple binddn="cn=Manager,dc=company,dc=tld" credentials="Secret2" mode=none idassert-authzFrom "*" ####################################################################### Disclaimer: Much of this haven't been optimized yet. I'll fine tune and tweak stuff once I could get it to work... -- Life sucks and then you die

2 2

slapindex with translucent overlay
by Hugo Monteiro 20 Sep '11

20 Sep '11

Hello, I have recently discovered that i'm not using the indexes i should, in one translucent overlay database, for the locally stored attributes. This being a production server, i would like to know if changing index configuration and running slapindex on that database is enough to reindex the data. Regards, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

2 3

← Newer
1
2
3
4
5
6
7
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2011