ACL Manual Additions request
by Nick Milas
Hi,
I think it would be important to add some text in
http://www.openldap.org/doc/admin24/access-control.html regarding the
use of <control> keywords (i.e. stop, continue, break), esp "break".
These are not explained at all in the particular page, and IMHO they are
notsatisfactorily explained in FAQ-O-Matic as well (unless there is a
page which I missed, in which case please add the appropriate info in
the above page which is a main point of reference).
For example, the above man page does not even include an example with a
break keyword. At least one example should be included for children,
entry attributes (and the significance of break there should be explained).
There are some examples in FAQ-O-Matic, for example:
http://www.openldap.org/faq/data/cache/1474.html
http://www.openldap.org/faq/data/cache/429.html
http://www.openldap.org/faq/data/cache/189.html
but they do not provide sufficient insight.
So, currently the significance and use of <control> keywords is obscure.
Although I am now (after almost two years) in a position to be able to
understand and handle ACLs to an extensive degree successfully (not
without effort), yet I am far from writing a tutorial or manual text, I
felt the above addition is a real need (esp. for new users) that I
should mention, asking the project team for it.
Regards and thanks for the project's efforts,
Nick
11 years, 4 months
translucent overlay and local objects?
by Eugene Vilensky
Greetings,
Pardon if this is an RTFM (I'd love a link), but is it possible to
store entities locally using the translucent overlay?
The overlay works for what we are trying to do when it comes to search
and modifying attributes on an entry, but I would like to create an
entire local groupofnames, consisting of remote UIDs.
For example, this LDIF imports OK:
#!RESULT OK
#!CONNECTION ldap://xxxxx
#!DATE 2012-04-09T16:01:33.961
dn: cn=instructors,ou=Groups,dc=xxxx,dc=zzz
changetype: add
objectClass: groupofnames
member: uid=nate
member: uid=penelope
member: uid=rhonda
cn: instructors
But searching for it does not bring back a result.
However, it must have gone somewhere since if I try to import the same
LDIF again:
#!RESULT ERROR
#!CONNECTION ldap://xxxxx
#!DATE 2012-04-09T16:21:28.221
#!ERROR [LDAP: error code 68 - Entry Already Exists]
Kind regards,
Eugene
11 years, 4 months
CAN I MADE MY OWN SCHEMA
by amine boubou
hi
i've installed openldap correctly, but now i want to use some attributs that not exist in default objectclass.
My question: can i configure openldap with new specifique schema without using the default (core.schema cosine.schema nis.schema and inetorgperson.schema).
thanks for answer :)
11 years, 4 months
Adding ODERING to a core attribute
by Emmanuel Dreyfus
Hi
I have a VoIP phone that insist on having ORDERING set on sn and
givenName in core.schema. Is there any smart way of doing it without
modifying the core.schema file?
--
Emmanuel Dreyfus
manu(a)netbsd.org
11 years, 4 months
HowTo to setup LDAP
by Luc MAIGNAN
Hi,
I've found a lot of howto to setup openLDAP using the slapd.conf but
none using the actual database feature.
But I want to configure a freshly installed openLDAP without writing a
slapd.conf and doing a migration on it.
Is there somewhere a step-by-step howto to setup an openLDAP using the
new feature (all parameters in the LDAP) ?
Thanks for any help
Best regards
11 years, 4 months
"do_bind: invalid dn" while trying to monitor slapd using pacemaker `slapd' resource agent
by Igor Zinovik
Hello.
I'm deploing mirrormode openldap cluster. I have two hosts running
openSUSE 12.1 with openldap2-2.4.30-83.3.x86_64
I created special user for mirrormode and tuned limits, so replication works
fine.
But for transparent switch between two nodes in case of failure i need
some additional software to monitor ldap daemons and manage IP
addresses on which my consumers connect.
So i went for pacemaker and used following document to set it up:
http://www.daasi.de/ldapcon2011/downloads/Haferkamp-paper.pdf
I decided to create a special uid for monitoring my tree which can
read only root element:
ldap2:~# grep -C 2 pcmk /etc/openldap/slapd.conf
#
access to dn.base="dc=test,dc=org"
by dn="uid=slapd-pcmk,ou=Services,dc=test,dc=org" read
And here is my problem:
I can successfully execute search query by hands using ldapsearch(1):
ldap2:~# ldapsearch -H "ldap:/// ldaps:/// ldapi:///" -b
dc=test,dc=org -LLL -s base -x -D
'uid=slapd-pcmk,ou=Services,dc=test,dc=org -w 'P@ssw0rd,'
Enter LDAP Password:
dn: dc=test,dc=org
dc: test
objectClass: organization
objectClass: dcObject
o: Test org
ldap2:~# echo $?
0
Pacemaker uses resource agents to monitor various daemons, so i downloaded
resource agent for slapd. Resource agent is just a script file (e.g.
resource agent for
slapd) and it executes same query as i do by hand, but slapd complains
about "invalid dn":
Here is how slapd resource was defined:
ldap2:~# crm configure primitive slapd_mirrormode ocf:heartbeat:slapd params \
slapd="/usr/lib/openldap/slapd" config="/etc/openldap/slapd.conf" \
user="ldap" group="ldap" services="ldap:/// ldaps:/// ldapi:///" \
watch_suffix="dc=test,dc=org" \
bind_dn="uid=slapd-pcmk,ou=Services,dc=test,dc=org" \
password="P@ssw0rd," parameters="-o slp=on" \
meta migration-threshold="3" op monitor interval="10s"
I changed loglevel in slapd to `1' and see following in log:
May 16 13:07:00 ldap2 slapd[7641]: slap_listener_activate(8):
May 16 13:07:00 ldap2 slapd[7641]: >>> slap_listener(ldap:///)
May 16 13:07:00 ldap2 slapd[7641]: connection_get(17): got connid=1013
May 16 13:07:00 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1013
May 16 13:07:00 ldap2 slapd[7641]: op tag 0x60, time 1337159220
May 16 13:07:00 ldap2 slapd[7641]: conn=1013 op=0 do_bind
May 16 13:07:00 ldap2 slapd[7641]: >>> dnPrettyNormal:
<'uid=slapd-pcmk,ou=Services,dc=test,dc=org'>
May 16 13:07:00 ldap2 slapd[7641]: conn=1013 op=0 do_bind: invalid dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
May 16 13:07:00 ldap2 slapd[7641]: send_ldap_result: conn=1013 op=0 p=3
May 16 13:07:00 ldap2 slapd[7641]: send_ldap_response: msgid=1 tag=97 err=34
May 16 13:07:00 ldap2 slapd[7641]: connection_get(17): got connid=1013
May 16 13:07:00 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1013
May 16 13:07:00 ldap2 slapd[7641]: op tag 0x42, time 1337159220
May 16 13:07:00 ldap2 slapd[7641]: conn=1013 op=1 do_unbind
May 16 13:07:00 ldap2 slapd[7641]: connection_close: conn=1013 sd=17
May 16 13:07:01 ldap2 slapd[7641]: slap_listener_activate(8):
May 16 13:07:01 ldap2 slapd[7641]: >>> slap_listener(ldap:///)
May 16 13:07:01 ldap2 slapd[7641]: connection_get(17): got connid=1014
May 16 13:07:01 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1014
May 16 13:07:01 ldap2 slapd[7641]: op tag 0x60, time 1337159221
May 16 13:07:01 ldap2 slapd[7641]: conn=1014 op=0 do_bind
May 16 13:07:01 ldap2 slapd[7641]: >>> dnPrettyNormal:
<'uid=slapd-pcmk,ou=Services,dc=test,dc=org'>
May 16 13:07:01 ldap2 slapd[7641]: conn=1014 op=0 do_bind: invalid dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
May 16 13:07:01 ldap2 slapd[7641]: send_ldap_result: conn=1014 op=0 p=3
May 16 13:07:01 ldap2 slapd[7641]: send_ldap_response: msgid=1 tag=97 err=34
May 16 13:07:01 ldap2 slapd[7641]: connection_get(17): got connid=1014
May 16 13:07:01 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1014
May 16 13:07:01 ldap2 slapd[7641]: op tag 0x42, time 1337159221
May 16 13:07:01 ldap2 slapd[7641]: ber_get_next on fd 17 failed
errno=0 (Success)
May 16 13:07:01 ldap2 slapd[7641]: conn=1014 op=1 do_unbind
May 16 13:07:01 ldap2 slapd[7641]: connection_close: conn=1014 sd=17
May 16 13:07:02 ldap2 slapd[7641]: slap_listener_activate(8):
May 16 13:07:02 ldap2 slapd[7641]: >>> slap_listener(ldap:///)
May 16 13:07:02 ldap2 slapd[7641]: connection_get(17): got connid=1015
May 16 13:07:02 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1015
May 16 13:07:02 ldap2 slapd[7641]: op tag 0x60, time 1337159222
May 16 13:07:02 ldap2 slapd[7641]: conn=1015 op=0 do_bind
May 16 13:07:02 ldap2 slapd[7641]: >>> dnPrettyNormal:
<'uid=slapd-pcmk,ou=Services,dc=test,dc=org'>
May 16 13:07:02 ldap2 slapd[7641]: conn=1015 op=0 do_bind: invalid dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
May 16 13:07:02 ldap2 slapd[7641]: send_ldap_result: conn=1015 op=0 p=3
May 16 13:07:02 ldap2 slapd[7641]: send_ldap_response: msgid=1 tag=97 err=34
May 16 13:07:02 ldap2 slapd[7641]: connection_get(17): got connid=1015
May 16 13:07:02 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1015
May 16 13:07:02 ldap2 slapd[7641]: op tag 0x42, time 1337159222
May 16 13:07:02 ldap2 slapd[7641]: conn=1015 op=1 do_unbind
May 16 13:07:02 ldap2 slapd[7641]: connection_close: conn=1015 sd=17
May 16 13:07:04 ldap2 slapd[7641]: slap_listener_activate(8):
May 16 13:07:04 ldap2 slapd[7641]: >>> slap_listener(ldap:///)
May 16 13:07:04 ldap2 slapd[7641]: connection_get(17): got connid=1016
May 16 13:07:04 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1016
May 16 13:07:04 ldap2 slapd[7641]: op tag 0x60, time 1337159224
May 16 13:07:04 ldap2 slapd[7641]: conn=1016 op=0 do_bind
May 16 13:07:04 ldap2 slapd[7641]: >>> dnPrettyNormal:
<'uid=slapd-pcmk,ou=Services,dc=test,dc=org'>
May 16 13:07:04 ldap2 slapd[7641]: conn=1016 op=0 do_bind: invalid dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
May 16 13:07:04 ldap2 slapd[7641]: send_ldap_result: conn=1016 op=0 p=3
May 16 13:07:04 ldap2 slapd[7641]: send_ldap_response: msgid=1 tag=97 err=34
May 16 13:07:04 ldap2 slapd[7641]: connection_get(17): got connid=1016
May 16 13:07:04 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1016
May 16 13:07:04 ldap2 slapd[7641]: op tag 0x42, time 1337159224
May 16 13:07:04 ldap2 slapd[7641]: conn=1016 op=1 do_unbind
May 16 13:07:04 ldap2 slapd[7641]: connection_close: conn=1016 sd=17
May 16 13:07:05 ldap2 slapd[7641]: slap_listener_activate(8):
May 16 13:07:05 ldap2 slapd[7641]: >>> slap_listener(ldap:///)
May 16 13:07:05 ldap2 slapd[7641]: connection_get(17): got connid=1017
May 16 13:07:05 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1017
May 16 13:07:05 ldap2 slapd[7641]: op tag 0x60, time 1337159225
May 16 13:07:05 ldap2 slapd[7641]: conn=1017 op=0 do_bind
May 16 13:07:05 ldap2 slapd[7641]: >>> dnPrettyNormal:
<'uid=slapd-pcmk,ou=Services,dc=test,dc=org'>
May 16 13:07:05 ldap2 slapd[7641]: conn=1017 op=0 do_bind: invalid dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
May 16 13:07:05 ldap2 slapd[7641]: send_ldap_result: conn=1017 op=0 p=3
May 16 13:07:05 ldap2 slapd[7641]: send_ldap_response: msgid=1 tag=97 err=34
May 16 13:07:05 ldap2 slapd[7641]: connection_get(17): got connid=1017
May 16 13:07:05 ldap2 slapd[7641]: connection_read(17): checking for
input on id=1017
May 16 13:07:05 ldap2 slapd[7641]: op tag 0x42, time 1337159225
May 16 13:07:05 ldap2 slapd[7641]: conn=1017 op=1 do_unbind
May 16 13:07:05 ldap2 slapd[7641]: connection_close: conn=1017 sd=17
May 16 13:07:06 ldap2 slapd[7641]: daemon: shutdown requested and initiated.
May 16 13:07:06 ldap2 slapd[7641]: slapd shutdown: waiting for 1
operations/tasks to finish
May 16 13:07:06 ldap2 slapd[7641]: slapd shutdown: initiated
May 16 13:07:06 ldap2 slapd[7641]: ====> bdb_cache_release_all
May 16 13:07:06 ldap2 slapd[7641]: slapd destroy: freeing system resources.
May 16 13:07:06 ldap2 slapd[7641]: syncinfo_free: rid=001
May 16 13:07:06 ldap2 slapd[7641]: connection_get(14): got connid=0
May 16 13:07:06 ldap2 slapd[7641]: slapd stopped.
I understand that there might be a problem in pacemakers `slapd' resource agent.
Maybe it corrupts bind dn somehow...
Agent executes `monitor' operation, here is a snippet from resource agent code:
ldap2:~# less /usr/lib/ocf/resource.d/heartbeat/slapd
...
slapd_monitor()
{
...
options="-LLL -s base -x"
if [ -n "$bind_dn" ]; then
options="$options -D '$bind_dn' -w '$password'"
fi
[ -z "$1" ] && err_option=""
for suffix in $suffixes; do
ocf_run -q $err_option "$ldapsearch" -H "$services" -b "$suffix"
$options >/dev/null 2>&1; rc=$?
case "$rc" in
"0")
ocf_log debug "slapd database with suffix '$suffix' reachable"
;;
"49")
ocf_log err "slapd database with suffix '$suffix' unreachable.
Invalid credentials."
return $OCF_ERR_CONFIGURED
;;
*)
if [ -z "$1" ] || [ -n "$1" -a $rc -ne 1 ]; then
ocf_log err "slapd database with suffix '$suffix'
unreachable. exit code ($rc)"
fi
...
Still scratching head...
11 years, 4 months
OpenLDAP 2.4.23 multi-master replication of the cn=config tree error: could not put entry file in place
by Cyril Grosjean
I've a sandbox environment with 2 CentOS 6.2 servers running the genuine
openldap-servers rpms, that is OpenLDAP 2.4.23 .
I've setup a multi-master replication between the servers, so that both my
data DIT (dc=....,dc=.... ) and the cn=config should be replicated.
Actually, the replication of data works fine, as expected in either way,
but the replication of the configuration tree fails:
each time I update the configuration on the second node, I get this error
in my LDAP client (Apache Directory Studio):
could not put entry file in place
I've tried to run the second master in debug (-d -1) mode, and it seems
like there's a write access error when the slapd daemon
(on the 2nd master) tries to update/modify/replace the
/etc/openldap/slapd.d/cn=config.ldif file:
<= acl_access_allowed: granted to database root
ldif_write_entry: could not put entry file for "cn=config" in place:
Permission denied
send_ldap_result: conn=-1 op=0 p=3
send_ldap_result: err=80 matched="" text="internal error (could not put
entry file in place)"
send_ldap_result: conn=-1 op=0 p=3
send_ldap_result: err=80 matched="" text="internal error (could not put
entry file in place)"
null_callback : error code 0x50
slap_graduate_commit_csn: removing 0x7fd19412f090
20120510163105.003156Z#000000#001#000000
syncrepl_updateCookie: rid=001 be_modify failed (80)
ldap_msgfree
The OpenLDAP error log shows the following error:
May 10 19:12:39 sashimi slapd[24866]: slapd starting
May 10 19:12:40 sashimi slapd[24866]: ldif_write_entry: cannot create file
for "olcDatabase={0}config,cn=config": Permission denied
May 10 19:12:40 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:12:40 sashimi slapd[24866]: syncrepl_entry: rid=001 be_modify
failed (80)
May 10 19:12:40 sashimi slapd[24866]: do_syncrepl: rid=001 rc -1 quitting
May 10 19:12:50 sashimi slapd[24866]: ldif_write_entry: could not put entry
file for "cn=config" in place: Permission denied
May 10 19:12:50 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:12:50 sashimi slapd[24866]: syncrepl_updateCookie: rid=001
be_modify failed (80)
May 10 19:13:00 sashimi slapd[24866]: ldif_write_entry: could not put entry
file for "cn=config" in place: Permission denied
May 10 19:13:00 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:13:00 sashimi slapd[24866]: syncrepl_updateCookie: rid=001
be_modify failed (80)
May 10 19:13:10 sashimi slapd[24866]: ldif_write_entry: could not put entry
file for "cn=config" in place: Permission denied
May 10 19:13:10 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:13:10 sashimi slapd[24866]: syncrepl_updateCookie: rid=001
be_modify failed (80)
Of course, I don't have any right access problems at the file system level,
I don't have any file system ACLs, I don't use SELinux and
I've checked that I can update or create any file under
/etc/openldap/slapd.d, when logged in as the ldap user (who's the account
used
to run slapd).
So, this error looks like a bug to me. Already fixed ?
To setup the replication of both data and configuration, I've copied the
full /etc/openldap directory from one server to the other, with the
same file system rights. I've just changed the server certificate files
since I use TLS to replicate both the data and the configuration. So, I
don't have
any TLS problem since the data tree replication works fine.
Here's my replication configuration for the cn=config database:
dn: olcDatabase={0}config,cn=config
...
....
olcSyncRepl: rid=001 provider=ldap://......:389 binddn="cn=config"
bindmethod=simple credentials="......" searchbase="cn=config"
type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
starttls=yes
tls_cacert=/etc/openldap/conf/cacert.pem
olcSyncRepl: rid=002 provider=ldap://.....:389 binddn="cn=config"
bindmethod=simple credentials="....... " searchbase="cn=config"
type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
starttls=yes tls_cacert=/etc/openldap/conf/cacert.pem
olcMirrorMode: TRUE
I actually use the same setup than for the data replication, excepted that
I have rid=003 and rid=004 of course for data replication, and the BIND DN
and passwords are different too.
--
Cyril
11 years, 4 months
SASL AD + SASL SCRAM
by Pieter Baele
Hi,
My current LDAP setup uses SASL PTA to authenticate against Active Directory.
For users only existing in OpenLDAP, I would use SASL SCRAM, so no
passes over the wire except for these in AD ;-)
But I believe only 1 method can be used by SASL External?
Any guidelines on configuring something as this? Do I really need the
meta backend or is there a better way?
-- PieterB
11 years, 4 months
AW: overlay nssov + pass-through authentication
by Uwe Werler
> Hello list,
>
> up to now we have pam_ldap/nss_ldap running from padl and all user accounts have
>
> pass-through authentication configured to authenticate against an
> external ldap server.*
>
> Now I try the overlay nssov and except authentication all is running fine.
>
> If I use the userPassword directly the user can authenticate without problems.
>
> Isn't it possible to use pass-through authentication with overlay nssov?
>
> Thanks in advance!
>
> Regards Uwe
>
> *userPassword: {SASL}uid
>
>
>
Ok, I found overlay pbind - it does what I want 'cause we use saslauthd with ldap auth against an external ldap server for some user accounts.
Drawback in this setup is that I have to split my database for this.
11 years, 4 months
Re: options for meta when using configuration backend
by Scott Koranda
On Tue, May 15, 2012 at 10:52 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, May 15, 2012 9:32 PM -0500 Scott Koranda <skoranda(a)gmail.com>
> wrote:
>
>> Does slapd-meta built from 2.4.31 source support using
>> slapd-config?
>
>
> You never mentioned slapd-meta in your original post.
The subject of the post was "options for meta when using configuration backend".
I agree that the note could have been more clear.
> olcDbURI is usually
> associated with slapd-ldap. I don't believe slapd-meta has cn=config
> support at this time.
Thank you. I will proceed with slapd.conf.
Scott
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
11 years, 4 months