Way to email users when their password is about to expire?
by Kline, Sara
Hey all,
Our OpenLDAP environment is up and functional and is working great. I was asked if there is a way to have the server email users when their account password is about to expire. For instance, 7 days before expiration they get an email that lets them know their password will expire on date x. Is there functionality within OpenLDAP to do this, or has anyone written a script that would do it?
We are using the policy overlay to enforce the password policy.
Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495
________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
11 years, 7 months
mismatch between slapd.conf and olcDatabase
by Nagaraj Panyam
Hi,
This is a question from an absolute novice.
I just installed openldap (RHEL 6.1), and created a config file with
suffix "dc=example, dc=com"
And started up slapd.
However, the value of "dc" in the olcDatabase files remains
"dc=my-domain,dc=com"
How does one remove this mismatch?
Secondly, how does one see the contents of /var/lib/ldap/log.0000000001
Thanks a lot for the support.
-
Raj
11 years, 7 months
syncrepl issue not replicating all changes
by Mark Coetser
Hi Guys
debian stable
openldap 2.4.23-7.2
I have multiple consumers with a single provider, when making changes
too the provider ie creating a new user, sometimes the change doesnt
propagate too all the consumers some have the correct entries and some
dont. If I then compare the contextcsn on both the provider and the
consumer it is identical on the consumers with the missing entry. The
only way I can then resync is by shutting down openldap on the consumer
deleting the tree and restarting which then syncs the directory with the
missing entry.
How would I go about troubleshooting this issue? Or am I missing
something simple? Any help would be appreciated.
--
Thank you,
11 years, 7 months
Fwd: Re: getent passwd doesn't show ldap user
by stefano malini
any ideas?
-------- Original Message --------
Subject: Re: getent passwd doesn't show ldap user
Date: Mon, 23 Apr 2012 12:20:03 +0200
From: stefano malini <lozingalo(a)gmail.com>
To: openldap-technical(a)openldap.org
hi,
installed openldap and configured nslcd.conf and nsswitch.conf.
At the moment getent passwd doesn't show ldap user.
I create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
You can see some checks.
FIRST SHELL
nslcd -d
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
SECOND SHELL: getent passwd-->shows only local users
FIRST SHELL shows:
nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG:
ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
(uri="ldap://localhost:389")
nslcd: [8b4567] ldap_result() failed: No such object
These are the permissions of nslcd files and folder
ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/*
-rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf
drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/
-rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid
srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket
Opening /var/run/nslcd/socket it shows:
Error reading /var/run/nslcd/socket: No such device or address
Follow nslcd.conf and slapd.conf.
__________________________________________________________________
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
___________________________________________________________________
slapd.conf
slapd.conf
#Basics
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel trace
modulepath /usr/lib/ldap
moduleload back_hdb
#Database Configuration
backend hdb
database hdb
suffix "dc=amahoro,dc=bi"
rootdn "cn=Manager,dc=amahoro,dc=bi"
rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9
directory /var/lib/ldap
index objectClass,cn eq
#ACLs
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
Please, do you have some ideas?
thanks
11 years, 7 months
Re: getent passwd doesn't show ldap user
by stefano malini
hi,
installed openldap and configured nslcd.conf and nsswitch.conf.
At the moment getent passwd doesn't show ldap user.
I create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
You can see some checks.
FIRST SHELL
nslcd -d
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
SECOND SHELL: getent passwd-->shows only local users
FIRST SHELL shows:
nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG:
ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
(uri="ldap://localhost:389")
nslcd: [8b4567] ldap_result() failed: No such object
These are the permissions of nslcd files and folder
ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/*
-rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf
drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/
-rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid
srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket
Opening /var/run/nslcd/socket it shows:
Error reading /var/run/nslcd/socket: No such device or address
Follow nslcd.conf and slapd.conf.
__________________________________________________________________
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
___________________________________________________________________
slapd.conf
slapd.conf
#Basics
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel trace
modulepath /usr/lib/ldap
moduleload back_hdb
#Database Configuration
backend hdb
database hdb
suffix "dc=amahoro,dc=bi"
rootdn "cn=Manager,dc=amahoro,dc=bi"
rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9
directory /var/lib/ldap
index objectClass,cn eq
#ACLs
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
Please, do you have some ideas?
thanks
11 years, 7 months
slapd crash in slap_listener
by Stefan Wold
Hi!
It seems slapd crash when it's hammered with ~30 simultaneous connections in our test environment. Each client connecting to the server run "ldapsearch -YGSSAPI -H ldap://ldap.example.com uid=user". In earlier versions of openldap we noticed crashes in SASL with the same setup, however that doesn't seem to happen anymore. The test server is running openldap 2.4.28 on Ubuntu 12.04. After a while slapd segfault with the following backtrace:
(gdb) bt
#0 0x00007f8577401445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f8577404bab in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f85773fa10e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f85773fa1b2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f8578cf17e0 in slap_listener (sl=0x7f857978b2e0) at ../../../../servers/slapd/daemon.c:1890
#5 0x00007f8578cf17f9 in slap_listener_thread (ctx=<optimized out>, ptr=0x7f857978b2e0) at ../../../../servers/slapd/daemon.c:2092
#6 0x00007f85788579aa in ldap_int_thread_pool_wrapper (xpool=0x7f85797c8c80) at ../../../../libraries/libldap_r/tpool.c:685
#7 0x00007f857778fe9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#8 0x00007f85774bd4bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#9 0x0000000000000000 in ?? ()
For a full bt:
https://gist.github.com/112c3bf7a98a5df69907
Let me know if anything else is needed.
--
Sincerely
Stefan Wold
IT-services, Stockholm University
11 years, 7 months
Configuring Proxy on Master Master replication set issues - openldap version 2.4.23
by Bhargav Mistry
Hi,
I have 2 set of servers and each set contains 2 servers. I have setup n-way multi master replication per set.
FirstMaster-1 <-- --> FirstMaster-2 - set1
SecondMaster-1 <-- --> SecondMaster-2 - set2
There is no replication between set1 and set2. Set 2 is inside a service network so in order to setup replication on set 2 I am trying to setup proxy on FirstMaster-1 which will point to SecondMaster-1 and FirstMaster-2 which will point to SecondMaster-2. I tried to google it but I didn't find any body doing it for version 2.4.23.
I am able to setup a standalone proxy and configure it but I want to do it on the master servers itself.
I am trying to setup proxy for the tree Cn=Manager, dc=my-domain,dc=com on both first masters but in order to do that I have to create a ldap database with the same suffix and rootDN correct? In order to setup replication for ldap database. Ldap throws error saying "dc=my-domain,dc=com" is already defined.
FirstMaster-1 : olcDatabase={3}ldap.ldif
dn: olcDatabase={3}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=ldap
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
structuralObjectClass: olcLDAPConfig
entryUUID: 633dcaac-1eb1-1031-884a-f7149142768b
creatorsName: cn=config
createTimestamp: 20120419212135Z
entryCSN: 20120419212135.686069Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20120419212135Z
olcSyncrepl: rid=000
provider=ldap://FirstMaster-1:389
binddn="cn=Manager,dc=my-domain,dc=com"
bindmethod=simple
credentials="secret"
searchbase="dc=my-domain,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
olcDbURI: ldap://SecondMaster-1.eng.qpass.net:389
olcDbACLBind: bindmethod=simple timeout=0 network-timeout=0 binddn="cn=Manager,dc=my-domain,dc=com" credentials="secret"
The above configuration is giving me errors when I try to reload it saying the "dc=my-domain,dc=com" is already used by the preceding database (bdb) then how do I setup the proxy on the master itself?
Your help is appreciated.
Thanks.
Bhargav.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
11 years, 7 months
slapd-ldap proxy database
by Ismael Gil
Hello all,
I'm trying to configure a ldap proxy to conect to a windows active directory to get data.
My /etc/openldap/slapd.conf, looks like that (the databases definition only):
# Our slapd-ldap back end to connect to AD
database ldap
suffix "cn=users,dc=XXX,dc=XXX"
#rootdn "cn=Administrador,dc=XXX,dc=XXX"
subordinate
lastmod off
rebind-as-user
uri "ldap://serverip/"
chase-referrals yes
database bdb
suffix "dc=XXX,dc=XXX"
rootdn "cn=Administrador,dc=XXX,dc=XXX"
#rootdn "dc=XXX,dc=XXX"
rootpw {SSHA}YYYYYYYYYYYYYYYYYyyy
Whit this config, I only can query the "users" directory, on the Active Directory server, but I need to be able to query all OUs inside the Active Directory.
Why I only can get data from users ou, instead the whole Active Directory?
How could I get to proxy all my querys to the Active directory server?
If I have an ou called "Bussines", in the Active Directory server, ¿how could I make a database definition or other configuration to get that working?
Thanks in advance,
Ismaeleitor
11 years, 7 months
getent passwd doesn't show ldap user
by stefano malini
hi,
as said before i reinstalled openldap and configured nslcd.conf and
nsswitch.conf.
at the moment geten passwd doesn't show ldap user.
as follow you see that i create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
follow nslcd.conf and slapd.conf (please take a look of ACLs for
nslcd_proc):
------------------------------------------------------------------
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
------------------------------------------------------------------
slapd.conf ACLs:
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
thanks
11 years, 7 months
Behavior change on overlay sssvlv
by Clément OUDOT
Hello,
I noticed that with OpenLDAP 2.4.30, a search request with a non
criticical sss control on an attribute without ordering matching rule
returns an error:
clement@ader:~/Programmes/openldap$ bin/ldapsearch -H
ldap://localhost:3389 -D ou=lsc,ou=accounts,ou=XXX -w secret -b
ou=people,ou=XXX -E sss=cn
# extended LDIF
#
# LDAPv3
# with server side sorting control
#
# search result
search: 2
result: 18 Inappropriate matching
text: serverSort control: No ordering rule
# numResponses: 1
Before, the error was only returned if the control was set to
critical. This was discussed in this ITS:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6647
Is this behavior change intentional or is this a side effect of of
recent commit?
Clément.
11 years, 7 months
