openldap-technical December 2012

openldap-technical@openldap.org

66 participants
73 discussions

Rewrite dn ?
by ST Wong 31 Dec '12

31 Dec '12

Hi, I'm newbie to openldap 2.4, and planning to setup an ldap proxy using ldap backend + remap overlay so that user can bind as cn=xxx,dc=my,dc=com, while at the backend ldap, the object looks like following: dn: uid=yyy,dc=my,dc=com objectclass: inetorgperson objectclass: dcobject cn=xxx uid=yyy mail=xxx(a)my.com ... Is it possible? Thanks a lot. Rgds

1 0

Admin user has two passwords
by Wiebe Cazemier 31 Dec '12

31 Dec '12

Hi, I tried changing the password for the admin user in my OpenLDAP tree, but now I can log in with both. When I do this: ldapsearch -vxZZH ldap://ldap.domain.tld/ -D "cn=admin,dc=domain,dc=tld" -W Entering a wrong password makes it fail, but entering the old or new password both work. I thought maybe it used the root account, so in an attempt to fix this, I tried setting the rootpw with this: # cat change-rootpw.ldif dn: olcDatabase={0}config,cn=config replace: olcRootPW olcRootPW: {SSHA}some hash ldapmodify -v -Y EXTERNAL -H ldapi:/// -f change-rootpw.ldif But that didn't fix it. I'm quite confused. Any help is appreciated. Regards, Wiebe

3 6

Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
by fal patel 29 Dec '12

29 Dec '12

Hi Bernd and Dieter, Thank you very much for your advice. Unfortunately, however, I still haven't succeeded in getting N-way MMR to work. So, to get it straight in my mind, I've written it up in 3 parts below -- (1) Problem Statement and Requirements, (2) My Implementation Attempt, and (3) Where It's Failing. (1) Problem Statement and Requirements: ============================== Need N-Way Multi-Master OpenLDAP Replication for 3 nodes. LDAP Writes are infrequent, but can occur to any of the 3 nodes. No need for high performance. No need for ACID transactions. There is no database or anything at all at present, so it's a clean slate for development. slapd.conf(5) will not be used at all. Only slapd-config will be used for configuring. The only back-end that will be used is bdb. The only replication mechanism is syncrepl in Provider Push mode of operation, ie., refreshAndPersist, which is initiated by a Consumer. (Consumer Pull mode of operation, ie. refreshOnly, will not be used at all.). So, once the Provider services the Consumer’s search request, Provider locally persists the synchronization search. There will be no maintaining of any Provider session log store. Thus only the Present phase of the refresh synchronization will be used. (not the Delete phase at all). Database creation will be performed off-line (to ensure database is not accessed while being created!). (not on-line). Thus the database creation tools that will be used are slapadd, slapcat, slaptest etc. (not ldapadd, ldapmodify etc.) In fact, there being no database to begin with, for slapadd I must use the "-b suffix" to specify which database to add entries to. slapadd -b bdb (not the "slapadd -n 0" parameter to specify the zero-th database.). (2) My Implementation Attempt: ========================== I have copy-pasted the exact text from the OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi-Master" (with my only changes being to my user variables), as follows: #################################### # mmr.ldif #################################### # This sets up the config database: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret # second and third servers will have a different olcServerID obviously: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 2 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret dn: cn=config objectClass: olcGlobal cn: config olcServerID: 3 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret # This sets up syncrepl as a provider (since these are all masters): dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: syncprov.la # Now we setup the first Master Node # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): URI1="ldap://ldap.node1.mycompany.com" URI2="ldap://ldap.node2.mycompany.com" URI3="ldap://ldap.node3.mycompany.com" dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 add: olcMirrorMode olcMirrorMode: TRUE # Now start up the Master and a consumer/s; # also add the above LDIF to the first consumer, second consumer etc. # It will then replicate cn=config. # You now have N-Way Multimaster on the config database. # We still have to replicate the actual data, not just the config; # so add to the master # (all active and configured consumers/masters will pull down this config, # as they are all syncing). # Also, replace all ${} variables with whatever is applicable to your setup: BACKEND=bdb BASEDN="dc=ldapservice,dc=hq,dc=mycompany,dc=com" MANAGERDN="cn=Admins,$BASEDN" PASSWD=secret dn: olcDatabase={1}$BACKEND,cn=config objectClass: olcDatabaseConfig objectClass: olc${BACKEND}Config olcDatabase: {1}$BACKEND olcSuffix: $BASEDN olcDbDirectory: ./db olcRootDN: $MANAGERDN olcRootPW: $PASSWD olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov # Note: All of your servers' clocks must be tightly synchronized using e.g. NTP. # Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from. # These must exactly match the URLs slapd listens on (-h in Command-Line Options). # Otherwise slapd may attempt to replicate from itself, causing a loop. (3) Where It's Failing: ================= I first executed the following: slapadd -v -F /usr/local/etc/openldap/slapd.d -b bdb -l mmr.ldif But that was a fiasco, saying "slapadd: slap_init invalid suffix ("bdb") ". So I suppose I must create the database beforehand? So then I created the database (by running slapd using slapd.conf with "database config" and "rootpw config" directives commented out); then I stopped the slapd service and executed the following: slapadd -v -F /usr/local/etc/openldap/slapd.d -n 0 -l mmr.ldif That failed too, saying "slapadd: could not add entry dn="cn=config" (line=1)". So then I tried: slapadd -v -F /usr/local/etc/openldap/slapd.d -n 1 -l mmr.ldif That failed too, saying "slapadd: database doesn't support necessary operations". So then I tried: slapadd -v -F /usr/local/etc/openldap/slapd.d -n 2 -l mmr.ldif That failed too, saying "slapadd: line 1: database #2 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)?". Of course, when I try any other number for n it says "Database number selected via -n is out of range. Must be in the range 0 to 2 (the number of configured databases)." So, my question is: How in the world do I configure my database #0 to also include my database #2 entities? Or, alternatively, how do I configure my database #2 to also hold "cn=config"? There is an old OpenLDAP.org blog which summarises how, but doesn't describe any execution steps at all: http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html " *Multi-Master Replication configuration example:* This has been asked for a few times now, so I'm putting an example here for use with OpenLDAP 2.4.6, which will then be part of the main docs<http://www.openldap.org/doc> This is adapted from test050-syncrepl-multimaster<http://www.openldap.org/devel/cvsweb.cgi/tests/scripts/test050-syncrepl-mul…> A proper writeup will be in the admin guide<http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master>soon, I promise [image: ;-)] Right, the following is all in LDIF<http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format>format and you *slapadd* them to your *cn=config* on the amount of Master nodes you have/want (using *slappasswd* of course): This sets up the config database: " I really urgently need your help with this, please. I thoroughly appreciate your help so far. Thanks Fal On Fri, Dec 28, 2012 at 9:18 AM, fal patel <fal0patel(a)gmail.com> wrote: > > > ---------- Forwarded message ---------- > From: Bernd May <bernd(a)net.t-labs.tu-berlin.de> > Date: Fri, Dec 28, 2012 at 5:07 AM > Subject: Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd > command failing > To: openldap-technical(a)openldap.org > > > From the manpage of slapadd: > > '-n dbnum Add entries to the dbnum-th database listed in the > configuration file. The -n cannot be used in conjunction with the -b > option. To populate the config database slapd-config(5), use -n 0 as it > is always the first database. It must physically exist on the > filesystem prior to this, however.' > > hth > > On 28.12.2012 09:14, fal patel wrote: > > Hi Dieter, > > > > Thank you very much, but even though I spent all day trying to figure out > > the problem I could not make any progress at all. > > > > The mmr_servers.ldif file I provided is an *exact* copy of the OpenLDAP > 2.4 > > Administrator's Guide Section 18.3.3 "N-Way Multi-Master", so if it is > not > > working it has to be a documentation error/bug in that section of the > > Administrator's Guide itself. > > Or is it the case that the variables I'm setting therein are wrong? > > > > Here are the variable values I'm setting: > > ============================ > > # Also, replace all ${} variables with whatever is applicable to your > setup: > > BACKEND=bdb > > BASEDN="dc=ldapservice,dc=hq,dc=mycompany,dc=com" > > MANAGERDN="cn=admin,$BASEDN" > > PASSWD=secret > > > > > > The slapd.conf file also is the *exact* same one that gets created at > > install-time in /usr/local/etc/openldap/ , with the only change being my > > "BDB database definitions" customisations as follows: > > ####################################################################### > > # BDB database definitions > > ####################################################################### > > > > ## added for multimaster replication (prior to running slapadd to create > > db): > > database bdb > > # suffix <DN of root of subtree you are trying to create> > > suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" > > rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" > > rootpw secret > > # directory for index files > > directory /usr/local/var/openldap-data > > # specify which indices you want to build > > index objectClass eq > > # loglevel 64 > > > > > > Whatever I try, however, slapadd gives the same error: > > ======================================= > > ubuntu11@ubuntu11:~$ sudo slapadd -l > > /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f > > /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d > > 50dd4b2a bdb_monitor_db_open: monitoring disabled; configure monitor > > database to enable > > slapadd: line 1: database #1 > > (dc=ldapservice,dc=hq,dc=practicefusion,dc=com) not configured to hold > > "cn=config"; did you mean to use database #0 (cn=config)? > > _ 3.25% eta none elapsed none spd > 833.5 > > k/s > > Closing DB... > > > > > > I didn't quite understand your instructions either: > > ================================== > > "cn=config has to be database number 0, that > > is, the first database declaration must be cn=config." > > > > In mmr_servers.ldif, the very first line is > > dn: cn=config > > > > How do I cause cn=config to be database number 0 , please? > > > > And why should I have to, unless the text in OpenLDAP 2.4 Administrator's > > Guide, Section 18.3.3 "N-Way Multi-Master" has a bug? > > > > Could you please advise? I am completely stuck. > > > > Thank you very much. > > > > Fal > > > > > > > > On Thu, Dec 27, 2012 at 3:54 AM, Dieter Klünter <dieter(a)dkluenter.de> > wrote: > > > >> Am Thu, 27 Dec 2012 02:22:18 -0800 > >> schrieb fal patel <fal0patel(a)gmail.com>: > >> > >>> Oops -- forgot to enter subject-line! > >>> > >>> > >>> On Thu, Dec 27, 2012 at 2:11 AM, fal patel <fal0patel(a)gmail.com> > >>> wrote: > >>> > >>>> Hello, > >>>> > >>>> I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 > >>>> nodes, but it's not working. > >> [...] > >>>> > >>>> (1) The slapadd command, I execute, and the error message I get: > >>>> ================================================ > >>>> sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f > >>>> /usr/local/etc/openldap/slapd.conf > >>>> -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: > >>>> 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor > >>>> database to enable > >>>> slapadd: line 1: database #1 > >>>> (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold > >>>> "cn=config"; did you mean to use database #0 (cn=config)? > >>>> _ 2.58% eta none elapsed none > >> > >> This error is quite clear, cn=config has to be database number 0, that > >> is, the first database declaration must be cn=config. > >> This is probably due to including a slapd.conf file with a database > >> declaration. > >> > >> -Dieter > >> > >> -- > >> Dieter Klünter | Systemberatung > >> http://dkluenter.de > >> GPG Key ID:DA147B05 > >> 53°37'09,95"N > >> 10°08'02,42"E > >> > >> > > > > -- > Technische Universität Berlin - FGINET > > Bernd May > > System Administration > An-Institut Deutsche Telekom Laboratories > Sekr. TEL 16 > Ernst-Reuter-Platz 7 > 10587 BERLIN > GERMANY > > Mobile: 0160/90257737 > E-Mail: bernd(a)net.t-labs.tu-berlin.de (T-Labs work) > WWW: net.t-labs.tu-berlin.de > > > >

2 1

Forcing TLS encryption
by Wiebe Cazemier 28 Dec '12

28 Dec '12

Hi, I'm trying to get slapd to reject non-encrypted connections, but nowhere can I find how you configure it to *only* accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump). Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option. So, with the cn=config SSL configuration commands, like this: dn: cn=config changetype:modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/bla.key - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/bla.crt - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/ca.pem Is there a param for forcing TLS? I tried: dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: TLSv1+RSA:!NULL but it doesn't work; the server doesn't start. Debug output: TLS: could not set cipher list TLSv1+RSA:!NULL. main: TLS init def ctx failed: -1 slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. Nor does "olcTLSCipherSuite: HIGH" work. I looked in the openldap source code, but even there, I can't find how to do it. Slapd: 2.4.21-0ubuntu5.7 Ubuntu: Ubuntu 10.04.4 LTS Thanks, Wiebe Cazemier

5 8

add posixAccount to back-sql definition
by DavidHornung 28 Dec '12

28 Dec '12

Hello, up to now i used inetOrgPerson from the docs to auth my users via LDAP/back-sql. but in inetOrgPerson isnt a uid defined so the Object Class posixAccount would fit better. I created a table which represents the posixAccount - minimal I need uid and password. the entity integer refers to id's of table persons with mobliePhone, mail, etc. CREATE TABLE net_accounts ( id serial NOT NULL, entity integer NOT NULL, password character varying NOT NULL, uid character varying NOT NULL, CONSTRAINT "net_accounts_pkey" PRIMARY KEY (id , uid ) ) I plan to use this posixAccount to auth with Mailserver, Intranet and all other services ... How to modify the example in the docs to do this ? Thank you! David

1 0

Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
by fal patel 28 Dec '12

28 Dec '12

Oops -- forgot to enter subject-line! On Thu, Dec 27, 2012 at 2:11 AM, fal patel <fal0patel(a)gmail.com> wrote: > Hello, > > I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, > but it's not working. > > Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 > "N-Way Multi=Master", I have created the following LDIF file and slapd.conf > file, but when I run slapadd to create my config database it fails. > > Could you please advise? > > Thank you very much. > > Fal > > (1) The slapadd command, I execute, and the error message I get: > ================================================ > sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f > /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d > [sudo] password for ubuntu11: > 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor > database to enable > slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) > not configured to hold "cn=config"; did you mean to use database #0 > (cn=config)? > _ 2.58% eta none elapsed none spd 1.1 > M/s > Closing DB... > > > > (2) My LDIF File, mmr-servers.ldif > ========================= > # This sets up the config database: > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 1 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > # second and third servers will have a different olcServerID obviously: > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 2 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 3 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > # This sets up syncrepl as a provider (since these are all masters): > dn: cn=module,cn=config > objectClass: olcModuleList > cn: module > olcModulePath: /usr/local/libexec/openldap > olcModuleLoad: syncprov.la > > # Now we setup the first Master Node > # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): > dn: cn=config > changetype: modify > replace: olcServerID > ## olcServerID: 1 $URI1 > > olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com > ## olcServerID: 2 $URI2 > olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com > ## olcServerID: 3 $URI3 > olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com > > dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > dn: olcDatabase={0}config,cn=config > changetype: modify > add: olcSyncRepl > olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > > add: olcMirrorMode > olcMirrorMode: TRUE > > # Now start up the Master and a consumer/s; > # also add the above LDIF to the first consumer, second consumer etc. > # It will then replicate cn=config. > # You now have N-Way Multimaster on the config database. > > # We still have to replicate the actual data, not just the config; > # so add to the master > # (all active and configured consumers/masters will pull down this config, > # as they are all syncing). > # Also, replace all ${} variables with whatever is applicable to your > setup: > dn: olcDatabase={1}$BACKEND,cn=config > objectClass: olcDatabaseConfig > objectClass: olc${BACKEND}Config > olcDatabase: {1}$BACKEND > olcSuffix: $BASEDN > olcDbDirectory: ./db > olcRootDN: $MANAGERDN > olcRootPW: $PASSWD > olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited > size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" > bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcMirrorMode: TRUE > > dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > # Note: All of your servers' clocks must be tightly synchronized using > e.g. NTP. > # Note: URLs specified in olcSyncRepl directives are the servers URLs to > replicate from. > # These must exactly match the URLs slapd listens on (-h in Command-Line > Options). > # Otherwise slapd may attempt to replicate from itself, causing a loop. > > > > (3) My slapd.conf file: > ================ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /usr/local/var/run/slapd.pid > argsfile /usr/local/var/run/slapd.args > > # Load dynamic backend modules: > # modulepath /usr/local/libexec/openldap > # moduleload back_bdb.la > # moduleload back_hdb.la > # moduleload back_ldap.la > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > # access to dn.base="" by * read > # access to dn.base="cn=Subschema" by * read > # access to * > # by self write > # by users read > # by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > ####################################################################### > # BDB database definitions > ####################################################################### > ## database bdb > ## suffix "dc=my-domain,dc=com" > ## rootdn "cn=Manager,dc=my-domain,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > ## rootpw secret > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > ## directory /usr/local/var/openldap-data > # Indices to maintain > ## index objectClass eq > > ## added for multimaster replication (prior to running slapadd to create > db): > database bdb > # suffix <DN of root of subtree you are trying to create> > suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" > rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" > rootpw secret > # directory for index files > directory /usr/local/var/openldap-data > # specify which indices you want to build > index objectClass eq > # loglevel 64 > > > > I have these additional questions also, please: > * It's "refreshAndPersist" Provider Push replication I want to implement, > not "refreshOnly" Consumer Poll Pull. > So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" > clauses in the Data Replication part to "refreshAndPersist"? > > * In the above LDIF file, in both the Config Replication section and the > Data Replication section, why does it add MirrorMode and set it to True? > It's N-Way Multi-Master replication I want to implement, not Mirror-Mode > replication, so can/should I get rid of all those "Mirror Mode" clause > statements? > > Thank you once again. > >

3 4

db_recover gives program version mismatch
by anil beniwal 27 Dec '12

27 Dec '12

Hi I am getting belwo errors when i run db_recover on rhel 6.3 64 bit. [root@mmprodam01 data-ldap]# /apps/db4/bin/db_recover -h /apps/openldap/var/openldap-data/ db_recover: Program version 4.7 doesn't match environment version 4.8 db_recover: Unacceptable log file /apps/openldap/var/openldap-data/log.0000000001: unsupported log version 16 db_recover: Invalid log file: log.0000000001: Invalid argument db_recover: PANIC: Invalid argument db_recover: process-private: unable to find environment db_recover: DB_ENV->open: DB_RUNRECOVERY: Fatal error, run database recovery I have installed berkely db in /apps/db4 with simple prefix=/apps/db4 i am getting this error everytime i run any db_xxx command. [root@mmprodam01 data-ldap]# rpm -qa | grep db4 db4-4.7.25-17.el6.x86_64 db4-utils-4.7.25-17.el6.x86_64 Its still taking db4.7 . Any help would be great. Let me know in case further details are required. -- Thanks&Regards Anil Beniwal

3 6

Re: How to force password change upon account creation
by Dan White 27 Dec '12

27 Dec '12

On 12/27/12 14:24 -0600, Kyle(a)TheHarrisHome.com wrote: >Hi Dan, > >Thank you for your response. I am using CentOS 6.3, OpenLDAP 2.4 and sssd >1.8 as the pam module. Hope that helps as I still can't quite figure it >out, and thank you again. You should see if sssd contains the logic to make use of the ppolicy related attributes. If not, you should configure the appropriate shadowAccount attributes instead. >-----Original Message----- >From: Dan White [mailto:dwhite@olp.net] >Sent: Sunday, December 23, 2012 6:43 PM >To: Kyle Harris >Cc: openldap-technical(a)openldap.org >Subject: Re: How to force password change upon account creation > >On 12/23/12 17:33 -0600, Kyle Harris wrote: >>Hello All, >> >>I have a perl script that allows for the creation of new accounts in >>OpenLDAP. I am attempting to find a way to force the newly created >>user to change his or her password upon first login. I tried setting >>the attribute pwdMustChange to TRUE but that attribute must not be >>definable upon user creation. So, how can this be accomplished so that >>a new user is forced to change passwords after they first log on? > >By 'log in' I assume you're asking about shell access to your system, which >makes use of an ldap pam module to authenticate users. If so, the function >of prompting users to change their password will be handled by that piece of >software, and you should consult the documentation distributed with it. > >If that's not the case, please clarify your authentication scenario. -- Dan White

1 0

Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
by fal patel 27 Dec '12

27 Dec '12

Oops -- forgot to add subject-line! ---------- Forwarded message ---------- From: fal patel <fal0patel(a)gmail.com> Date: Thu, Dec 27, 2012 at 2:11 AM Subject: To: openldap-technical(a)openldap.org Cc: fal patel <fal0patel(a)gmail.com>

1 0

(no subject)
by fal patel 27 Dec '12

27 Dec '12

Hello, I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working. Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi=Master", I have created the following LDIF file and slapd.conf file, but when I run slapadd to create my config database it fails. Could you please advise? Thank you very much. Fal (1) The slapadd command, I execute, and the error message I get: ================================================ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none spd 1.1 M/s Closing DB... (2) My LDIF File, mmr-servers.ldif ========================= # This sets up the config database: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret # second and third servers will have a different olcServerID obviously: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 2 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret dn: cn=config objectClass: olcGlobal cn: config olcServerID: 3 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret # This sets up syncrepl as a provider (since these are all masters): dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: syncprov.la # Now we setup the first Master Node # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): dn: cn=config changetype: modify replace: olcServerID ## olcServerID: 1 $URI1 olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com ## olcServerID: 2 $URI2 olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com ## olcServerID: 3 $URI3 olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 add: olcMirrorMode olcMirrorMode: TRUE # Now start up the Master and a consumer/s; # also add the above LDIF to the first consumer, second consumer etc. # It will then replicate cn=config. # You now have N-Way Multimaster on the config database. # We still have to replicate the actual data, not just the config; # so add to the master # (all active and configured consumers/masters will pull down this config, # as they are all syncing). # Also, replace all ${} variables with whatever is applicable to your setup: dn: olcDatabase={1}$BACKEND,cn=config objectClass: olcDatabaseConfig objectClass: olc${BACKEND}Config olcDatabase: {1}$BACKEND olcSuffix: $BASEDN olcDbDirectory: ./db olcRootDN: $MANAGERDN olcRootPW: $PASSWD olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov # Note: All of your servers' clocks must be tightly synchronized using e.g. NTP. # Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from. # These must exactly match the URLs slapd listens on (-h in Command-Line Options). # Otherwise slapd may attempt to replicate from itself, causing a loop. (3) My slapd.conf file: ================ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### ## database bdb ## suffix "dc=my-domain,dc=com" ## rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. ## rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. ## directory /usr/local/var/openldap-data # Indices to maintain ## index objectClass eq ## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64 I have these additional questions also, please: * It's "refreshAndPersist" Provider Push replication I want to implement, not "refreshOnly" Consumer Poll Pull. So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" clauses in the Data Replication part to "refreshAndPersist"? * In the above LDIF file, in both the Config Replication section and the Data Replication section, why does it add MirrorMode and set it to True? It's N-Way Multi-Master replication I want to implement, not Mirror-Mode replication, so can/should I get rid of all those "Mirror Mode" clause statements? Thank you once again.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2012