Can not build OpenLDAP with OpenSSL in custom location
by jckidder@aep.com
Ok, this is driving me nuts!!!! I can't build OpenLDAP with TLS support.
configure fails with a TLS/SSL error. If I disable TLS everything works
just fine. Everthing I can find on the net is telling me I'm doing this
right but it's not working. I have OpenSSL 0.9.8x built and installed to
a custom directory:
/appl/openssl
I have the following environment variables set:
LD_LIBRARY_PATH=/appl/BerkeleyDB/lib:/appl/openssl/lib:/appl/cyrus_sasl/lib:/appl/unixODBC/lib:/appl/openldap/lib:$LD_LIBRARY_PATH
CPPFLAGS="-I/appl/BerkeleyDB/include -I/appl/openssl/include/openssl
-I/appl/cyrus_sasl/include -I/appl/unixODBC/include
-I/appl/openldap/include -I/usr/include -DF00=42"
LDFLAGS="-L/appl/BerkeleyDB/lib -L/appl/openssl/lib -L/appl/cyrus_sasl/lib
-L/appl/unixODBC/lib -L/appl/openldap/lib -L/usr/lib "
I run the following configure command:
./configure --prefix=/appl/openldap --enable-bdb --enable-ldap
--enable-sql --enable-overlays --enable-spasswd --with-tls=openssl
And I get the following output:
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
checking for ssl3_accept in -lssl... no
configure: error: Could not locate TLS/SSL package
What am I missing??
-Jon C. Kidder
American Electric Power
Middleware Services
614-716-4970
10 years, 8 months
What does acl-bind exactly
by General Stone
Hello,
what does acl-bind exactly in ldap backend (slapd-ldap)? I don't
understand the explenataion in available documentations.
The manpage says "... that is internally used by the proxy to collect
info related to access control ...", but which informations are needed
from the remote server?
Further the manpage says "The identity (...) is supposed to have read
access on the target server to attributes used on the proxy for ACL
checking ...", but which attributes are mean?
Kind regards,
Markus Martinet
--
Key fingerprint = A0D9 F306 0FC0 30E7 62DB E785 A192 2A30 5CF1 224D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Die Theorie ist immer nur so gut wie ihre Praxis.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10 years, 8 months
Filter a ldap connection for a user comming from an IP source
by Mik J
Hello,
I have this ACL that allows the users myadmin to list encrypted passwords
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read
However this user my admin is supposed to come from one IP 1.1.1.1 only.
I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin.
In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords.
If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.
Does anyone know what is the syntax ?
10 years, 8 months
LDAP Stopped Authenticating Samba Shares
by Steve Olszewski
Hi All--
I'm a fairly new Systems Administrator at my company, and have inherited a mostly undocumented infrastructure, including LDAP and Samba. We had been using LDAP for authentication, allowing access to the Samba shares based on group membership. Recently, users were unable to mount shares, as authentication had broken somehow.
A couple of things stand out:
1) Using phpldapadmin, if I compare the sambalmpasswd or the sambantpasswd on any account to the password that *should* be in place, I get a "passwords do not match" error. The standard user password checks out OK, however. I'm not sure why this is happening.
2) Samba will not start. It dies with a "smbd[2902]: ERROR: failed to setup guest info." error. As far as I can tell, this happens when Samba starts and tries to find the "nobody" user, both locally and on the remote LDAP server. The nobody user exists in both places, and I can run 'getent passwd' and 'getent group' and see both local and LDAP users/groups.
I am having a terrible time troubleshooting this, and wonder if someone might have an idea about what's going on, or point me in the right direction.
Best,
Steve Olszewski
10 years, 8 months
Re: Access denied consumer replication (OpenLDAP+Kerberos)
by Daniel Lopes de Carvalho
Hi Quanah. Thanks for your reply!
I was following this link to configure the provider/consumer:
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php.
Under item "2. Kerberos client install", at the end, I was guided to
create a principal starting with ldap/dns02... But... I created 3
principals: host/dns02... ldap/dns02.. and ldaps/dns02...
And under item "8. Provider modifications" I was instruted to map
uid=ldap/... to ou=consumers
# 1.2.1.
add: olcAuthzRegexp
olcAuthzRegexp: uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=consumers,dc=example,dc=com
I deleted the principals host/dns02... and ldaps/dns02... and the
replication started to work.
Thanks very mch!
Daniel
--
Daniel Lopes de Carvalho
dlcarvalho(a)gmail.com
daniellopescarvalho (skype)
19 9357-5618 (claro)
19 8251-6023 (tim)
On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho
> <dlcarvalho(a)gmail.com> wrote:
>
>> Hi
>>
>> I try to configure two openldap/kerberos server (provider and
>> consumer), but I'm having some issues about replication. Under LDAP
>> log, I have many entries like this: "slap_access_allowed: search
>> access denied by none(=0)"
>>
>> These messages are related to consumer access to the Kerberos database
>> on provider and the kerberos database can't be replicated to the
>> consumer. The others data are replicated normaly.
>>
>> These are the ACL under privider:
>> olcAccess: {0}to attrs=userPassword,shadowLastChange
>> by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read
>> by anonymous auth by * none
>>
>> olcAccess: {1}to
>> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>> by
>> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" write
>> by
>> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" read
>> by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read by * none
>>
>> olcAccess: {2}to attrs=loginShell
>> by self write
>> by users read
>> by * none
>>
>> olcAccess: {3}to dn.base=""
>> by * read
>>
>> olcAccess: {4}to *
>> by users read
>> by * none
>
>
> This is the entity asking permission:
>
>
> Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
> "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
> (=0)
>
> This does not match
>
> by
> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>
> It looks like you put the host entry in the users tree and not the consumer
> tree.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
10 years, 8 months
Problem converting slapd.conf to cn=config format
by Patrick Lists
Hi all,
New to the list and (Open)LDAP so apologies if I'm missing the obvious.
I've gone through the Admin Guide and some other docs I found online but
I still have problems converting a slapd.conf to the cn=config format on
a CentOS 6.3 x86_64 box with openldap-2.4.23-26.el6_3.2
$ cat ~/slapd.conf.new
# general parameters
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
loglevel 296
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
password-hash {SSHA}
modulepath /usr/lib64/openldap
TLSCipherSuite HIGH
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
lastmod on
# databases
database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=example,dc=com" read
by * none
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
mode 600
checkpoint 512 30
cachesize 2097152
index uid pres,eq
index cn,sn,mail pres,eq,approx,sub
index objectClass eq
directory /var/lib/ldap
Steps I did:
# service slapd stop
# rm -rf /var/lib/ldap/*
# rm -rf /etc/openldap/slapd.d/*
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# echo "" | slapadd -v -d 448 -f ./slapd.conf.new
# slaptest -v -d 448 -f ./slapd.conf.new -F /etc/openldap/slapd.d
The last step just hangs and does not do anything even after waiting 45
minutes.
Anyone know what I'm doing wrong? Pointers most appreciated.
Thanks!
Patrick
10 years, 8 months
Access denied consumer replication (OpenLDAP+Kerberos)
by Daniel Lopes de Carvalho
Hi
I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"
These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.
These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
by anonymous auth by * none
olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
write
by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read by * none
olcAccess: {2}to attrs=loginShell
by self write
by users read
by * none
olcAccess: {3}to dn.base=""
by * read
olcAccess: {4}to *
by users read
by * none
And bellow the ldap log snnipet:
=> access_allowed: search access to
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
"objectClass" requested
Oct 4 12:00:29 dns01 slapd[1163]: => dn: [2]
ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched
Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass
Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
attr "objectClass" requested
Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: *
Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop)
Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0)
Oct 4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search
access denied by none(=0)
Oct 4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules
Can anyone help me?
Regards
Daniel
10 years, 8 months
Re: RE24 testing call #1 (OpenLDAP 2.4.33)
by devzero2000
No problem in helping in doing this, but i have just a curiosity.
Really a project as openldap doesn't have an automated buildboot
environment running on a checked out vcs these days with 6/7
buildslave (or more) ?
Best
2012/10/3, Quanah Gibson-Mount <quanah(a)zimbra.com>:
> If you know how to build OpenLDAP manually, and would like to participate
> in testing the next set of code for the 2.4.33 release, please do so.
>
> Generally, get the code for RE24:
>
> <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
>
> Configure & build.
>
> Execute the test suite (via make test) after it is built.
>
> Thanks!
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
--
Inviato dal mio dispositivo mobile
10 years, 8 months
OpenLDAP and Indexing (when to use Slapindex)
by Emilio García
Hi there,
I know that after setting up a new index in slapd.conf all new entries I
add will be indexed (and you need to run slapindex for the old ones if you
have), *but will they still be indexed if the entry is modified? (An
attribute is updated for example).* I assume it will, isn't it? So can
anyone confirm if I need to run slapdindex just when I make a change in
slapd.conf?
Kind regards.
--
Cloudreach Limited is a limited company registered in England with registered number 06975407
The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion,
and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations
will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.
This email may be confidential or privileged. If you received this communication by mistake, please don't forward
it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.
10 years, 8 months
Proper manual for proxy-cache configuring via cn=config
by Tio Teath
Looks like '12.9.2.5. Example for slapd-config' section of
'Administrator's Guide' contains non-valid information.
First, it is impossible to initialize hdb database with no olcSuffix
attribute. Second, olcPcache attribute of oclOverlay object contains
'dbd' entry, which, I suppose, instructs slapd for using dbd back-end,
while in the section below database with hdb back-end are configured.
Anyway, I haven't managed to configure proxy-cache with any type of
back-ends, so I have question: is any working example exist for
configuring the proxy-cache via cn=config? Any of configuration, I've
managed to google in the openldap's mailists, won't work for slapd
2.4.25.
10 years, 8 months
