openldap-technical January 2012

openldap-technical@openldap.org

84 participants
81 discussions

Creating a special entry
by Frank Bonnet 25 Jan '12

25 Jan '12

Hello Due to the usage of a third party software I need to create a special account into our OpenLDAP directory that have the following privileges read, compare, browse Help greatly appreciated on guidance to create such entry. info links welcome thank you

2 1

slapadd not allowed on first database
by Kwasi Gyasi - Agyei 25 Jan '12

25 Jan '12

Hi, I'm trying to migrate data using openldap migrations tools, however I keep get error below which I don't understand. I don;t even know where ldap is getting the second database from cause I don;t have that defined anywhere slapd.conf has only one database. Error: ------------------ The first database does not allow slapadd; using the first available one (2) slapadd: line 1: database #2 (dc=my-domain,dc=com) not configured to hold "dc=4things,dc=co,dc=za"; no database configured for that naming context slapd.conf : ------------------ # ###### SAMPLE 1 - SIMPLE DIRECTORY ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # NO SECURITY - no access clause # defaults to anonymous access for read # only rootdn can write # NO REFERRALS # DON'T bother with ARGS file unless you feel strongly # slapd scripts stop scripts need this to work pidfile /var/run/slapd.pid # enable a lot of logging - we might need it # but generates huge logs loglevel -1 # MODULELOAD definitions # not required (comment out) before version 2.3 moduleload back_bdb.la # NO TLS-enabled connections # backend definition not required ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since example.com # is reserved for experimentation or change them to my and inc # ####################################################################### database bdb suffix "dc=4things, dc=co, dc=za" # root or superuser rootdn "cn=system-admin, dc=4things, dc=co, dc=za" rootpw {SSHA}password # The database directory MUST exist prior to running slapd AND # change path as necessary directory /var/lib/ldap/4things.co.za # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include objectClass uncomment following # index objectClass eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in slapd.conf reference section cachesize 10000 checkpoint 128 15 Any ideas? I have Googled for almost a week now and I come across nothing... -- Multimedia and Communication | Property | Entertainment Kwasi Owusu Gyasi - Agyei *cell* (+27) (0) 76 466 4488 *website *www.4things.co.za *email *kwasi.gyasiagyei(a)4things.co.za *skype *kwasi.gyasiagyei *role* Developer.Designer.Software Architect

3 2

slapcat and slapadd
by Andreas Laesser 24 Jan '12

24 Jan '12

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi @all, I've a problem doing a slapcat and adding the dump again to another (empty) ldap server... doing a slapcat on my "master" gives me a file with: <snip> root@foobar /etc/ldap # head -100 ldapFullCat.ldif dn: objectClass: top objectClass: dcObject objectClass: organization o: spsc.tugraz.at dc: spsc structuralObjectClass: organization entryUUID: 292ab862-cb04-1030-9e71-dd10406d8585 creatorsName: cn=admin,dc=spsc,dc=tugraz,dc=at createTimestamp: 20120104094228Z entryCSN: 20120104094228.808452Z#000000#000#000000 modifiersName: cn=admin,dc=spsc,dc=tugraz,dc=at modifyTimestamp: 20120104094228Z dn: objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9WlQ5UmdyUFpJVDVuM3ByS0ErM3M5TFplU0RHcnFMN3g= structuralObjectClass: organizationalRole entryUUID: 292b04fc-cb04-1030-9e72-dd10406d8585 creatorsName: cn=admin,dc=spsc,dc=tugraz,dc=at createTimestamp: 20120104094228Z entryCSN: 20120104094228.810430Z#000000#000#000000 modifiersName: cn=admin,dc=spsc,dc=tugraz,dc=at modifyTimestamp: 20120104094228Z dn: dc=SPSC,dc=TUGRAZ,dc=AT dc: SPSC objectClass: dcObject objectClass: organizationalUnit ou: SPSC structuralObjectClass: organizationalUnit entryUUID: ffae9024-9a0c-1028-8a8f-881a13d527c4 creatorsName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT createTimestamp: 20040913201236Z entryCSN: 20040913201236.000000Z#000001#000#000000 modifiersName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT modifyTimestamp: 20040913201236Z contextCSN: 20120119135137.038345Z#000000#000#000000 contextCSN: 20120120100955.690312Z#000000#001#000000 dn: ou=people,dc=SPSC,dc=TUGRAZ,dc=AT ou: people objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: ffc2d0b6-9a0c-1028-8a90-881a13d527c4 creatorsName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT createTimestamp: 20040913201236Z entryCSN: 20040913201236.000000Z#000002#000#000000 modifiersName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT modifyTimestamp: 20040913201236Z .... </snip> But if I want to add this file at my other server, it gives me: root@barfoo /etc/ldap # slapadd -l ldapFullCat.ldif -f ./slapd.conf slapadd: line 1: cannot add entry with empty dn="" _ 0.02% eta elapsed none spd 3.0 M/s Closing DB... Any Ideas? Of course, if I delete the first two entries it works, but then the ldap didn't work correctly. thanks and regards Andreas - -- ========================================================================= _____________ / ___________/ Andreas Laesser / //_// /____/ Signal Proc.& Speech Communication Lab. __/ /___/ / __ Graz University of Technology /___//____//___/ Inffeldgasse 16c/EG | A-8010 Graz | Austria http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439 ========================================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAk8ZQBUACgkQ1nmbrmNF2lObwQCeKnF+elTztwQCu9DhjbN4eKhB 8nQAn2CuBh2WNyjlTfWZhbzMeh6IFXbg =xheX -----END PGP SIGNATURE-----

3 4

Need help to change ldap password from client side
by sivakumar R 24 Jan '12

24 Jan '12

*Dear All, I've recently configured a LDAP Server, I am facing a small problem when i'm trying to change my password from client side by giving the command "passwd". It is giving the following error in terminal Changing password for user ****. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Insufficient access passwd: Authentication token manipulation error Also in /var/log/messages it is showing the following error message Jan 24 15:43:57 mail passwd: pam_ldap: ldap_modify_s Insufficient access Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: gck_module_new: assertion `funcs' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: module_instances: assertion `module' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: egg_error_message: assertion `error' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: couldn't find secret store module: (unknown) Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: lookup_login_keyring: assertion `GCK_IS_SESSION (session)' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: create_credential: assertion `GCK_IS_SESSION (session)' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: egg_error_message: assertion `error' failed Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: couldn't create new login credential: (unknown) Also this is my ACL configuration details of /etc/openldap/slapd.conf access to attr=userPassword by anonymous auth by self write by * none access to * by * read Please help to resolve this Cordially Shiv *

3 2

How to configure Openldap with the new LDIF configuration
by André Ribas 20 Jan '12

20 Jan '12

Hi there, I am trying to setup a Samba + OpenLDAP server here but it has been a while since the last time that I did it. Last time that I did it, the slapd was configured by the file slapd.conf but now I realized that it has a new configuration method based on LDIF files. I'm a little confused with this new method and every tutorial that I find on the Internet says that I should write a slapd.conf and use the migration tool. But doing that I'll not be using the best feature of the new method (on-line updates) so I want to learn the new way. Sorry for this newbie question but I am not understanding how to use it to add a schema file or even change some configuration. Do anyone have some tips or even a good tutorial (maybe even a samba related one) that teaches how to do it in the "right" way? Thanks and sorry for any English mistakes (this is one of my very first mail to an English listing) André Ribas

3 2

TLS hostname check failure and subjectAltname extension
by Michael Ströder 19 Jan '12

19 Jan '12

HI! We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against OpenSSL 1.0.0 libs shipped with RHEL. (some names are consistently obfuscated herein to keep real names confidential) Unfortunately we can't get StartTLS to work. It always fails: # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate But OpenSSL lists the (IMO correct) hostnames in the server's certificate: ---------------------------------- snip ---------------------------------- Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE [..] X509v3 Subject Alternative Name: email:certificate@xxx.domain, DNS:ldap.domain, DNS:ldap-srv01.rz.domain, DNS:ldap-srv02.rz.domain ---------------------------------- snip ---------------------------------- Is the hostname check confused by the email in the first subjectAltName sequence value? Ciao, Michael.

2 2

syncprov_db_open: invalid config, lastmod must be enabled
by Angel L. Mateo 19 Jan '12

19 Jan '12

Hi, I'm trying to configure chain overlay in a ldap replica consumer. My final purpose is that if this node receives an update, it directly tries to make it in the provider node, instead of returning the referrral. Is that possible? I think so... But I have a problem with the configuration. My config is ... moduleload back_ldap moduleload syncprov ... database hdb suffix dc=<mysuffix> ... overlay syncprov syncrepl rid=31 provider="ldap://<provider>" binddn="<replica user dn>" bindmethod=simple credentials=<password> searchbase="dc=<mysuffix>" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 overlay chain chain-max-depth 1 chain-return-error true chain-uri ldap://<provider> chain-rebind-as-user yes chain-idassert-bind bindmethod=simple binddn=<replica user dn> credentials=<password> starttls=no mode="self" But when I test configuration with slaptest, I get: root@canis32:/etc/ldap# slaptest -f /etc/ldap/slapd.conf syncprov_db_open: invalid config, lastmod must be enabled backend_startup_one (type=hdb, suffix="<mysuffix>"): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) and I can't run slapd. Any idea? I'm running slapd 2.4.21 (ubuntu lucid package) -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337

3 10

ldap error codes during modification
by Rohan J 18 Jan '12

18 Jan '12

Hello, I was going through RFCs to have a clear requirement of the expected ldap error codes during an ldapmodify with insufficient access . Does Openldap always have to return error code 50 during a modify even though the modification may contain errors related to invalid attribute syntax, notAllowedOnRDN or any protocol errors. I am guessing that it should be fine to allow error codes except 16,20,32 etc. Please let me know if there is a reference to this information.

1 0

eDirectory -> openLDAP password synchronization with jdap
by Martin Anastasov 18 Jan '12

18 Jan '12

Hi, I'm trying to synchronize passwords from eDirectory to openLDAP using jdap. The passwords in eDirectory are not stored in plain text i.e. Secure Login SSO is used (protocom-SSO-Entries in ldiff flie). In ldiff are also present: nDSPKIUserCertificateInfo, userCertificate. Is it possible to do the synchronization ? Thanks in advance. Regards, Martin

2 1

Openldap/Sasl/GSSAPI on Debian: Key table entry not found
by Toomas Vendelin 18 Jan '12

18 Jan '12

The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI Setup: several virtual machines running on freshly installed/updated Debian Squeeze A master KDC server kdc.example.com A LDAP server, running OpenLDAP ldap.example.com The problem: tom@ldap:~$ ldapsearch -b 'dc=example,dc=com' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found) One might suggest to add that keytab entry, but: ktutil: rkt /etc/ldap/ldap.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/ldap.example.com(a)EXAMPLE.COM 2 2 ldap/ldap.example.com(a)EXAMPLE.COM 3 2 ldap/ldap.example.com(a)EXAMPLE.COM 4 2 ldap/ldap.example.com(a)EXAMPLE.COM So, the entry as suggested by the OpenLDAP manual is there allright. Deleting and re-creating both service principal and the keytab on ldap.example.com didn't help, I get the same error. And before I make the keytab file readable by openldap, I get "Permission denied" error instead of the one in the subject. Which implies that the right keytab file is being accessed, as set in /etc/default/slapd. I have my doubts about the following part of slapd config: root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#" dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: 256 olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11 olcSaslHost: kdc.example.com olcSaslRealm: EXAMPLE.COM olcSaslSecProps: noplain,noactive,noanonymous,minssf=56 olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth" "uid=$1,ou=People,dc=example,dc=com" olcAuthzRegexp: {1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth" "cn=$1,ou=hosts,dc=example,dc=com" A HOWTO at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication mentiones: Also, it is frequently necessary to map the Distinguished Name (DN) of an authorized Kerberos client to an existing entry in the DIT. I fail to understand where in the tree this should be defined, what schema should be used, etc. After hours of googling, it's official: I'm stuck! Please, help. Other things checked: Kerberos as such works fine (I can ssh without using a password to any machine in this setup). That means there should be no DNS-related problems. ldapsearch -b 'dc=example,dc=com' -x works OK. SASL/GSSAPI has been tested using sasl-sample-server -m GSSAPI -s ldap and sasl-sample-client -s ldap -n ldap.example.com -u tom without errors: root@ldap:~# sasl-sample-server -m GSSAPI -s ldap Forcing use of mechanism GSSAPI Sending list of 1 mechanism(s) S: R1NTQVBJ Waiting for client mechanism... C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIPgot 'GSSAPI' Sending response... S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cR Waiting for client reply... C: got '' Sending response... S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4= Waiting for client reply... C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=got '?' Negotiation complete Username: tom Realm: (NULL) SSF: 56 sending encrypted message 'srv message 1' S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazx Waiting for encrypted message... C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpcztgot '' recieved decoded message 'client message 1' root@ldap:~# sasl-sample-client -s ldap -n ldap.example.com -u tom service=ldap Waiting for mechanism list from server... S: R1NTQVBJrecieved 6 byte message Choosing best mechanism from: GSSAPI returning OK: tom Using mechanism GSSAPI Preparing initial. Sending initial response... C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIP Waiting for server reply... S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cRrecieved 156 byte message C: Waiting for server reply... S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=recieved 32 byte message Sending response... C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw= Negotiation complete Username: tom SSF: 56 Waiting for encoded message... S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazxrecieved 78 byte message recieved decoded message 'srv message 1' sending encrypted message 'client message 1' C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpczt

3 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2012