Creating a special entry
by Frank Bonnet
Hello
Due to the usage of a third party software I need to create
a special account into our OpenLDAP directory that have the
following privileges
read, compare, browse
Help greatly appreciated on guidance to create such entry.
info links welcome
thank you
11 years, 10 months
slapadd not allowed on first database
by Kwasi Gyasi - Agyei
Hi,
I'm trying to migrate data using openldap migrations tools, however I keep
get error below which I don't understand. I don;t even know where ldap is
getting the second database from cause I don;t have that defined anywhere
slapd.conf has only one database.
Error:
------------------
The first database does not allow slapadd; using the first available one (2)
slapadd: line 1: database #2 (dc=my-domain,dc=com) not configured to hold
"dc=4things,dc=co,dc=za"; no database configured for that naming context
slapd.conf :
------------------
#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write
# NO REFERRALS
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
loglevel -1
# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la
# NO TLS-enabled connections
# backend definition not required
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database bdb
suffix "dc=4things, dc=co, dc=za"
# root or superuser
rootdn "cn=system-admin, dc=4things, dc=co, dc=za"
rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /var/lib/ldap/4things.co.za
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
Any ideas? I have Googled for almost a week now and I come across nothing...
--
Multimedia and Communication | Property | Entertainment
Kwasi Owusu Gyasi - Agyei
*cell* (+27) (0) 76 466 4488
*website *www.4things.co.za
*email *kwasi.gyasiagyei(a)4things.co.za
*skype *kwasi.gyasiagyei
*role* Developer.Designer.Software Architect
11 years, 10 months
slapcat and slapadd
by Andreas Laesser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi @all,
I've a problem doing a slapcat and adding the dump again to another
(empty) ldap server...
doing a slapcat on my "master" gives me a file with:
<snip>
root@foobar /etc/ldap # head -100 ldapFullCat.ldif
dn:
objectClass: top
objectClass: dcObject
objectClass: organization
o: spsc.tugraz.at
dc: spsc
structuralObjectClass: organization
entryUUID: 292ab862-cb04-1030-9e71-dd10406d8585
creatorsName: cn=admin,dc=spsc,dc=tugraz,dc=at
createTimestamp: 20120104094228Z
entryCSN: 20120104094228.808452Z#000000#000#000000
modifiersName: cn=admin,dc=spsc,dc=tugraz,dc=at
modifyTimestamp: 20120104094228Z
dn:
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9WlQ5UmdyUFpJVDVuM3ByS0ErM3M5TFplU0RHcnFMN3g=
structuralObjectClass: organizationalRole
entryUUID: 292b04fc-cb04-1030-9e72-dd10406d8585
creatorsName: cn=admin,dc=spsc,dc=tugraz,dc=at
createTimestamp: 20120104094228Z
entryCSN: 20120104094228.810430Z#000000#000#000000
modifiersName: cn=admin,dc=spsc,dc=tugraz,dc=at
modifyTimestamp: 20120104094228Z
dn: dc=SPSC,dc=TUGRAZ,dc=AT
dc: SPSC
objectClass: dcObject
objectClass: organizationalUnit
ou: SPSC
structuralObjectClass: organizationalUnit
entryUUID: ffae9024-9a0c-1028-8a8f-881a13d527c4
creatorsName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT
createTimestamp: 20040913201236Z
entryCSN: 20040913201236.000000Z#000001#000#000000
modifiersName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT
modifyTimestamp: 20040913201236Z
contextCSN: 20120119135137.038345Z#000000#000#000000
contextCSN: 20120120100955.690312Z#000000#001#000000
dn: ou=people,dc=SPSC,dc=TUGRAZ,dc=AT
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: ffc2d0b6-9a0c-1028-8a90-881a13d527c4
creatorsName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT
createTimestamp: 20040913201236Z
entryCSN: 20040913201236.000000Z#000002#000#000000
modifiersName: cn=admin,dc=SPSC,dc=TUGRAZ,dc=AT
modifyTimestamp: 20040913201236Z
....
</snip>
But if I want to add this file at my other server, it gives me:
root@barfoo /etc/ldap # slapadd -l ldapFullCat.ldif -f ./slapd.conf
slapadd: line 1: cannot add entry with empty dn=""
_ 0.02% eta elapsed none spd
3.0 M/s
Closing DB...
Any Ideas? Of course, if I delete the first two entries it works, but
then the ldap didn't work correctly.
thanks and regards
Andreas
- --
=========================================================================
_____________
/ ___________/ Andreas Laesser
/ //_// /____/ Signal Proc.& Speech Communication Lab.
__/ /___/ / __ Graz University of Technology
/___//____//___/ Inffeldgasse 16c/EG | A-8010 Graz | Austria
http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439
=========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAk8ZQBUACgkQ1nmbrmNF2lObwQCeKnF+elTztwQCu9DhjbN4eKhB
8nQAn2CuBh2WNyjlTfWZhbzMeh6IFXbg
=xheX
-----END PGP SIGNATURE-----
11 years, 10 months
Need help to change ldap password from client side
by sivakumar R
*Dear All,
I've recently configured a LDAP Server, I am facing a small problem when
i'm trying to change my password from client side by giving the command
"passwd". It is giving the following error in terminal
Changing password for user ****.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
Also in /var/log/messages it is showing the following error message
Jan 24 15:43:57 mail passwd: pam_ldap: ldap_modify_s Insufficient access
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: gck_module_new: assertion
`funcs' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: module_instances:
assertion `module' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: egg_error_message:
assertion `error' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: couldn't find secret store
module: (unknown)
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: lookup_login_keyring:
assertion `GCK_IS_SESSION (session)' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: create_credential:
assertion `GCK_IS_SESSION (session)' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: egg_error_message:
assertion `error' failed
Jan 24 15:43:57 mail gnome-keyring-daemon[6329]: couldn't create new login
credential: (unknown)
Also this is my ACL configuration details of /etc/openldap/slapd.conf
access to attr=userPassword
by anonymous auth
by self write
by * none
access to * by * read
Please help to resolve this
Cordially
Shiv
*
11 years, 10 months
How to configure Openldap with the new LDIF configuration
by André Ribas
Hi there,
I am trying to setup a Samba + OpenLDAP server here but it has been a
while since the last time that I did it. Last time that I did it, the
slapd was configured by the file slapd.conf but now I realized that it
has a new configuration method based on LDIF files.
I'm a little confused with this new method and every tutorial that I
find on the Internet says that I should write a slapd.conf and use the
migration tool. But doing that I'll not be using the best feature of
the new method (on-line updates) so I want to learn the new way.
Sorry for this newbie question but I am not understanding how to use
it to add a schema file or even change some configuration. Do anyone
have some tips or even a good tutorial (maybe even a samba related
one) that teaches how to do it in the "right" way?
Thanks and sorry for any English mistakes (this is one of my very
first mail to an English listing)
André Ribas
11 years, 10 months
TLS hostname check failure and subjectAltname extension
by Michael Ströder
HI!
We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked against
OpenSSL 1.0.0 libs shipped with RHEL.
(some names are consistently obfuscated herein to keep real names confidential)
Unfortunately we can't get StartTLS to work. It always fails:
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
# /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
But OpenSSL lists the (IMO correct) hostnames in the server's certificate:
---------------------------------- snip ----------------------------------
Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE
[..]
X509v3 Subject Alternative Name:
email:certificate@xxx.domain,
DNS:ldap.domain,
DNS:ldap-srv01.rz.domain,
DNS:ldap-srv02.rz.domain
---------------------------------- snip ----------------------------------
Is the hostname check confused by the email in the first subjectAltName
sequence value?
Ciao, Michael.
11 years, 10 months
syncprov_db_open: invalid config, lastmod must be enabled
by Angel L. Mateo
Hi,
I'm trying to configure chain overlay in a ldap replica consumer. My
final purpose is that if this node receives an update, it directly tries
to make it in the provider node, instead of returning the referrral. Is
that possible? I think so...
But I have a problem with the configuration. My config is
...
moduleload back_ldap
moduleload syncprov
...
database hdb
suffix dc=<mysuffix>
...
overlay syncprov
syncrepl rid=31
provider="ldap://<provider>"
binddn="<replica user dn>"
bindmethod=simple
credentials=<password>
searchbase="dc=<mysuffix>"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
overlay chain
chain-max-depth 1
chain-return-error true
chain-uri ldap://<provider>
chain-rebind-as-user yes
chain-idassert-bind bindmethod=simple
binddn=<replica user dn>
credentials=<password>
starttls=no
mode="self"
But when I test configuration with slaptest, I get:
root@canis32:/etc/ldap# slaptest -f /etc/ldap/slapd.conf
syncprov_db_open: invalid config, lastmod must be enabled
backend_startup_one (type=hdb, suffix="<mysuffix>"): bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)
and I can't run slapd. Any idea?
I'm running slapd 2.4.21 (ubuntu lucid package)
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
11 years, 10 months
ldap error codes during modification
by Rohan J
Hello,
I was going through RFCs to have a clear requirement of the expected ldap
error codes during an ldapmodify with insufficient access . Does Openldap
always have to return error code 50 during a modify even though the
modification may contain errors related to invalid attribute
syntax, notAllowedOnRDN or any protocol errors. I am guessing that it
should be fine to allow error codes except 16,20,32 etc. Please let me know
if there is a reference to this information.
11 years, 10 months
eDirectory -> openLDAP password synchronization with jdap
by Martin Anastasov
Hi,
I'm trying to synchronize passwords from eDirectory to openLDAP using jdap.
The passwords in eDirectory are not stored in plain text i.e. Secure Login
SSO is used (protocom-SSO-Entries in ldiff flie). In ldiff are also
present: nDSPKIUserCertificateInfo, userCertificate.
Is it possible to do the synchronization ?
Thanks in advance.
Regards,
Martin
11 years, 10 months
Openldap/Sasl/GSSAPI on Debian: Key table entry not found
by Toomas Vendelin
The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI
Setup: several virtual machines running on freshly installed/updated
Debian Squeeze
A master KDC server
kdc.example.com
A LDAP server, running OpenLDAP
ldap.example.com
The problem:
tom@ldap:~$ ldapsearch -b 'dc=example,dc=com'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Key
table entry not found)
One might suggest to add that keytab entry, but:
ktutil: rkt /etc/ldap/ldap.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/ldap.example.com(a)EXAMPLE.COM
2 2 ldap/ldap.example.com(a)EXAMPLE.COM
3 2 ldap/ldap.example.com(a)EXAMPLE.COM
4 2 ldap/ldap.example.com(a)EXAMPLE.COM
So, the entry as suggested by the OpenLDAP manual is there allright.
Deleting and re-creating both service principal and the keytab on
ldap.example.com didn't help, I get the same error. And before I make
the keytab file readable by openldap, I get "Permission denied" error
instead of the one in the subject. Which implies that the right keytab
file is being accessed, as set in /etc/default/slapd.
I have my doubts about the following part of slapd config:
root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
olcSaslHost: kdc.example.com
olcSaslRealm: EXAMPLE.COM
olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth"
"uid=$1,ou=People,dc=example,dc=com"
olcAuthzRegexp:
{1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth"
"cn=$1,ou=hosts,dc=example,dc=com"
A HOWTO at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication
mentiones:
Also, it is frequently necessary to map the Distinguished Name
(DN) of an authorized Kerberos client to an existing entry in the DIT.
I fail to understand where in the tree this should be defined, what
schema should be used, etc. After hours of googling, it's official:
I'm stuck! Please, help.
Other things checked: Kerberos as such works fine (I can ssh without
using a password to any machine in this setup). That means there
should be no DNS-related problems.
ldapsearch -b 'dc=example,dc=com' -x
works OK.
SASL/GSSAPI has been tested using
sasl-sample-server -m GSSAPI -s ldap
and
sasl-sample-client -s ldap -n ldap.example.com -u tom
without errors:
root@ldap:~# sasl-sample-server -m GSSAPI -s ldap
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIPgot
'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cR
Waiting for client reply...
C: got ''
Sending response...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=got '?'
Negotiation complete
Username: tom
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazx
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpcztgot
''
recieved decoded message 'client message 1'
root@ldap:~# sasl-sample-client -s ldap -n ldap.example.com -u tom
service=ldap
Waiting for mechanism list from server...
S: R1NTQVBJrecieved 6 byte message
Choosing best mechanism from: GSSAPI
returning OK: tom
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIP
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cRrecieved
156 byte message
C:
Waiting for server reply...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=recieved 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=
Negotiation complete
Username: tom
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazxrecieved
78 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpczt
11 years, 10 months