openldap-technical October 2012

openldap-technical@openldap.org

68 participants
66 discussions

Can not build OpenLDAP with OpenSSL in custom location
by jckidder＠aep.com 05 Oct '12

05 Oct '12

Ok, this is driving me nuts!!!! I can't build OpenLDAP with TLS support. configure fails with a TLS/SSL error. If I disable TLS everything works just fine. Everthing I can find on the net is telling me I'm doing this right but it's not working. I have OpenSSL 0.9.8x built and installed to a custom directory: /appl/openssl I have the following environment variables set: LD_LIBRARY_PATH=/appl/BerkeleyDB/lib:/appl/openssl/lib:/appl/cyrus_sasl/lib:/appl/unixODBC/lib:/appl/openldap/lib:$LD_LIBRARY_PATH CPPFLAGS="-I/appl/BerkeleyDB/include -I/appl/openssl/include/openssl -I/appl/cyrus_sasl/include -I/appl/unixODBC/include -I/appl/openldap/include -I/usr/include -DF00=42" LDFLAGS="-L/appl/BerkeleyDB/lib -L/appl/openssl/lib -L/appl/cyrus_sasl/lib -L/appl/unixODBC/lib -L/appl/openldap/lib -L/usr/lib " I run the following configure command: ./configure --prefix=/appl/openldap --enable-bdb --enable-ldap --enable-sql --enable-overlays --enable-spasswd --with-tls=openssl And I get the following output: checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no configure: error: Could not locate TLS/SSL package What am I missing?? -Jon C. Kidder American Electric Power Middleware Services 614-716-4970

2 2

What does acl-bind exactly
by General Stone 05 Oct '12

05 Oct '12

Hello, what does acl-bind exactly in ldap backend (slapd-ldap)? I don't understand the explenataion in available documentations. The manpage says "... that is internally used by the proxy to collect info related to access control ...", but which informations are needed from the remote server? Further the manpage says "The identity (...) is supposed to have read access on the target server to attributes used on the proxy for ACL checking ...", but which attributes are mean? Kind regards, Markus Martinet -- Key fingerprint = A0D9 F306 0FC0 30E7 62DB E785 A192 2A30 5CF1 224D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Die Theorie ist immer nur so gut wie ihre Praxis. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1 0

Filter a ldap connection for a user comming from an IP source
by Mik J 05 Oct '12

05 Oct '12

Hello, I have this ACL that allows the users myadmin to list encrypted passwords access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read However this user my admin is supposed to come from one IP 1.1.1.1 only. I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin. In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords. If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords. Does anyone know what is the syntax ?

2 2

LDAP Stopped Authenticating Samba Shares
by Steve Olszewski 04 Oct '12

04 Oct '12

Hi All-- I'm a fairly new Systems Administrator at my company, and have inherited a mostly undocumented infrastructure, including LDAP and Samba. We had been using LDAP for authentication, allowing access to the Samba shares based on group membership. Recently, users were unable to mount shares, as authentication had broken somehow. A couple of things stand out: 1) Using phpldapadmin, if I compare the sambalmpasswd or the sambantpasswd on any account to the password that *should* be in place, I get a "passwords do not match" error. The standard user password checks out OK, however. I'm not sure why this is happening. 2) Samba will not start. It dies with a "smbd[2902]: ERROR: failed to setup guest info." error. As far as I can tell, this happens when Samba starts and tries to find the "nobody" user, both locally and on the remote LDAP server. The nobody user exists in both places, and I can run 'getent passwd' and 'getent group' and see both local and LDAP users/groups. I am having a terrible time troubleshooting this, and wonder if someone might have an idea about what's going on, or point me in the right direction. Best, Steve Olszewski

1 0

Re: Access denied consumer replication (OpenLDAP+Kerberos)
by Daniel Lopes de Carvalho 04 Oct '12

04 Oct '12

Hi Quanah. Thanks for your reply! I was following this link to configure the provider/consumer: http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php. Under item "2. Kerberos client install", at the end, I was guided to create a principal starting with ldap/dns02... But... I created 3 principals: host/dns02... ldap/dns02.. and ldaps/dns02... And under item "8. Provider modifications" I was instruted to map uid=ldap/... to ou=consumers # 1.2.1. add: olcAuthzRegexp olcAuthzRegexp: uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth cn=$1,ou=consumers,dc=example,dc=com I deleted the principals host/dns02... and ldaps/dns02... and the replication started to work. Thanks very mch! Daniel -- Daniel Lopes de Carvalho dlcarvalho(a)gmail.com daniellopescarvalho (skype) 19 9357-5618 (claro) 19 8251-6023 (tim) On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho > <dlcarvalho(a)gmail.com> wrote: > >> Hi >> >> I try to configure two openldap/kerberos server (provider and >> consumer), but I'm having some issues about replication. Under LDAP >> log, I have many entries like this: "slap_access_allowed: search >> access denied by none(=0)" >> >> These messages are related to consumer access to the Kerberos database >> on provider and the kerberos database can't be replicated to the >> consumer. The others data are replicated normaly. >> >> These are the ACL under privider: >> olcAccess: {0}to attrs=userPassword,shadowLastChange >> by >> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, >> dc=br" read >> by anonymous auth by * none >> >> olcAccess: {1}to >> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" >> by >> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= >> br" write >> by >> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= >> br" read >> by >> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, >> dc=br" read by * none >> >> olcAccess: {2}to attrs=loginShell >> by self write >> by users read >> by * none >> >> olcAccess: {3}to dn.base="" >> by * read >> >> olcAccess: {4}to * >> by users read >> by * none > > > This is the entity asking permission: > > > Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by > "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br", > (=0) > > This does not match > > by > dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" > > It looks like you put the host entry in the users tree and not the consumer > tree. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration

1 0

Problem converting slapd.conf to cn=config format
by Patrick Lists 04 Oct '12

04 Oct '12

Hi all, New to the list and (Open)LDAP so apologies if I'm missing the obvious. I've gone through the Admin Guide and some other docs I found online but I still have problems converting a slapd.conf to the cn=config format on a CentOS 6.3 x86_64 box with openldap-2.4.23-26.el6_3.2 $ cat ~/slapd.conf.new # general parameters include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 loglevel 296 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args password-hash {SSHA} modulepath /usr/lib64/openldap TLSCipherSuite HIGH TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password lastmod on # databases database config rootdn "cn=admin,cn=config" rootpw {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none # enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=admin,dc=example,dc=com" read by * none database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW mode 600 checkpoint 512 30 cachesize 2097152 index uid pres,eq index cn,sn,mail pres,eq,approx,sub index objectClass eq directory /var/lib/ldap Steps I did: # service slapd stop # rm -rf /var/lib/ldap/* # rm -rf /etc/openldap/slapd.d/* # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # echo "" | slapadd -v -d 448 -f ./slapd.conf.new # slaptest -v -d 448 -f ./slapd.conf.new -F /etc/openldap/slapd.d The last step just hangs and does not do anything even after waiting 45 minutes. Anyone know what I'm doing wrong? Pointers most appreciated. Thanks! Patrick

5 9

Access denied consumer replication (OpenLDAP+Kerberos)
by Daniel Lopes de Carvalho 04 Oct '12

04 Oct '12

Hi I try to configure two openldap/kerberos server (provider and consumer), but I'm having some issues about replication. Under LDAP log, I have many entries like this: "slap_access_allowed: search access denied by none(=0)" These messages are related to consumer access to the Kerberos database on provider and the kerberos database can't be replicated to the consumer. The others data are replicated normaly. These are the ACL under privider: olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by anonymous auth by * none olcAccess: {1}to dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" write by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by * none olcAccess: {2}to attrs=loginShell by self write by users read by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by users read by * none And bellow the ldap log snnipet: => access_allowed: search access to "cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" "objectClass" requested Oct 4 12:00:29 dns01 slapd[1163]: => dn: [2] ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry "cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br", attr "objectClass" requested Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br", (=0) Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: * Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop) Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0) Oct 4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search access denied by none(=0) Oct 4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules Can anyone help me? Regards Daniel

2 1

Re: RE24 testing call #1 (OpenLDAP 2.4.33)
by devzero2000 03 Oct '12

03 Oct '12

No problem in helping in doing this, but i have just a curiosity. Really a project as openldap doesn't have an automated buildboot environment running on a checked out vcs these days with 6/7 buildslave (or more) ? Best 2012/10/3, Quanah Gibson-Mount <quanah(a)zimbra.com>: > If you know how to build OpenLDAP manually, and would like to participate > in testing the next set of code for the 2.4.33 release, please do so. > > Generally, get the code for RE24: > > <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> > > Configure & build. > > Execute the test suite (via make test) after it is built. > > Thanks! > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > -- Inviato dal mio dispositivo mobile

3 2

OpenLDAP and Indexing (when to use Slapindex)
by Emilio García 03 Oct '12

03 Oct '12

Hi there, I know that after setting up a new index in slapd.conf all new entries I add will be indexed (and you need to run slapindex for the old ones if you have), *but will they still be indexed if the entry is modified? (An attribute is updated for example).* I assume it will, isn't it? So can anyone confirm if I need to run slapdindex just when I make a change in slapd.conf? Kind regards. -- Cloudreach Limited is a limited company registered in England with registered number 06975407 The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved. This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.

2 1

Proper manual for proxy-cache configuring via cn=config
by Tio Teath 03 Oct '12

03 Oct '12

Looks like '12.9.2.5. Example for slapd-config' section of 'Administrator's Guide' contains non-valid information. First, it is impossible to initialize hdb database with no olcSuffix attribute. Second, olcPcache attribute of oclOverlay object contains 'dbd' entry, which, I suppose, instructs slapd for using dbd back-end, while in the section below database with hdb back-end are configured. Anyway, I haven't managed to configure proxy-cache with any type of back-ends, so I have question: is any working example exist for configuring the proxy-cache via cn=config? Any of configuration, I've managed to google in the openldap's mailists, won't work for slapd 2.4.25.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2012