Re: ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Dan White
Keeping replies on openldap-technical(a)openldap.org is recommended, since it
gives you more eyes for your problem.
>> On Thu, Aug 16, 2012 at 2:30 PM, Dan White <dwhite(a)olp.net> wrote:
>>> On 08/16/12 14:06 -0700, Jeffrey Parker wrote:
>>>>> I cannot seem to find anything helpful about this issue. I had it
>>>>> working before when I first setup OpenLDAP and I have not changed
>>>>> any settings since then. The only thing I can seem to find is
>>>>> suggestion saying to use -x when running ldappasswd. When I use -x I
>>>>> get the error below
>>>>>
>>>>> Result: Strong(er) authentication required (8)
>>>>> Additional info: only authenticated users may change passwords
>>>>>
>>>>>
>>>> If binding with -x, you'll need to provide a bind dn (-D) and a password.
>>>>
>>>> I am running OpenLDAP, I am not sure what version but it is somewhat
>>>> new.
>>>>
>>>> The error messages is briefly discussed in the OpenLDAP Administrator's
>>>> Guide (section H.17).
>>>>
>>>> Verify that you are able to bind to the server with 'ldapwhoami', with
>>>> your credentials. Once that succeeds, verify that your entry contains
>>>> a 'userPassword' attribute, and that the user you are binding with has
>>>> the permissions to change it.
>On Aug 17, 2012 9:08 AM, "Dan White" <dwhite(a)olp.net> wrote:
>> On 08/16/12 15:32 -0700, Jeffrey Parker wrote:
>>
>>> The setup that I have is a bit strange, I am not using OpenLDAP to
>>> authenticate operating system users. I am using it for other
>>> authentication. The authentication works for usermin which I am using
>>> as an interface to change passwords and for phpldapadmin, and for
>>> Hudson continuous integration. That section that you mentioned in the
>>> OpenLDAP Administrator's guide does not give any help it just says what
>>> that means not any indication on what to do to fix it. As a side note
>>> ldapwhoami does not work because I am not authenticated through ldap to
>>> login to the computer. I can manually change the password in
>>> phpldapadmin, but I need the users to be able to change their own
>>> password which was working but now it is not working and I did not
>>> change anything since the time that it was working.
>>
>> A cannot assist you with phpldapadmin or usermin.
>>
>> If you would like users to change their own passwords with the ldappasswd
>> utility, then ldapwhoami is an acid test. Users must be able to
>> authenticate to your ldap server before they can change their passwords for
>> themselves. This is unrelated to how you, or your users, authenticate to
>> the operating system.
>>
>> When password changes worked, what command (include command line
>> parameters) did your users use?
On 08/17/12 09:46 -0700, Jeffrey Parker wrote:
>Usermin runs ldappasswd. The command-line options when it worked are the
>same as I tried before, just ldappasswd. Users can authenticate without any
>issue.
Common ldappasswd examples include:
for simple binds:
ldappasswd -x -D "uid=jsmith,dc=example,dc=net" -W -s "new_password"
for sasl binds:
ldappasswd -Y digest-md5 -U jsmith -s "new_password"
What are the contents of the following files, if they exist?
/etc/ldap/ldap.conf (or your system's equivalent)
$HOME/ldaprc
$HOME/.ldaprc
./ldaprc
Consult the manpages for ldap.conf and ldappasswd.
--
Dan White
11 years, 1 month
Re: ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Dan White
(Readding openldap-technical(a)openldap.org to the CC list)
On 08/16/12 15:32 -0700, Jeffrey Parker wrote:
>The setup that I have is a bit strange, I am not using OpenLDAP to
>authenticate operating system users. I am using it for other
>authentication. The authentication works for usermin which I am using as an
>interface to change passwords and for phpldapadmin, and for Hudson
>continuous integration. That section that you mentioned in the OpenLDAP
>Administrator's guide does not give any help it just says what that means
>not any indication on what to do to fix it. As a side note ldapwhoami does
>not work because I am not authenticated through ldap to login to the
>computer. I can manually change the password in phpldapadmin, but I need
>the users to be able to change their own password which was working but now
>it is not working and I did not change anything since the time that it was
>working.
A cannot assist you with phpldapadmin or usermin.
If you would like users to change their own passwords with the ldappasswd
utility, then ldapwhoami is an acid test. Users must be able to
authenticate to your ldap server before they can change their passwords for
themselves. This is unrelated to how you, or your users, authenticate to
the operating system.
When password changes worked, what command (include command line
parameters) did your users use?
>On Thu, Aug 16, 2012 at 2:30 PM, Dan White <dwhite(a)olp.net> wrote:
>
>> On 08/16/12 14:06 -0700, Jeffrey Parker wrote:
>>
>>> I cannot seem to find anything helpful about this issue. I had it working
>>> before when I first setup OpenLDAP and I have not changed any settings
>>> since then. The only thing I can seem to find is suggestion saying to use
>>> -x when running ldappasswd. When I use -x I get the error below
>>>
>>> Result: Strong(er) authentication required (8)
>>> Additional info: only authenticated users may change passwords
>>>
>>
>> If binding with -x, you'll need to provide a bind dn (-D) and a password.
>>
>>
>> I am running OpenLDAP, I am not sure what version but it is somewhat new.
>>> It is running on Turnkey Linux (ubuntu 10.04 based) and is in a virtual
>>> machine.
>>>
>>
>> The error messages is briefly discussed in the OpenLDAP Administrator's
>> Guide (section H.17).
>>
>> Verify that you are able to bind to the server with 'ldapwhoami', with your
>> credentials. Once that succeeds, verify that your entry contains a
>> 'userPassword' attribute, and that the user you are binding with has the
>> permissions to change it.
>>
>> --
>> Dan White
>>
>>
--
Dan White
11 years, 1 month
slapd-meta doesn't continue with multiple uri's
by Liam Gretton
I've been trying to get slapd-meta to failover using multiple URIs but
can't get it to work.
Initially I was using 2.4.26, but having seen the report in ITS#7050
I've now built 2.4.32 but the problem is still there as far as I can
tell. This bug was quashed in 2.4.29 according to the change log.
In the example below, if host1 is not contactable at the point a search
is performed, host2 will be contacted and the result returned correctly
but ldapsearch then hangs indefinitely and the server's debug (level 1)
output spews the following messages endlessly:
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 10 tm: 0
502a4634 conn=1001 op=1 <<< meta_search_dobind_init[0]=4
502a4634 conn=1001 op=1 >>> meta_search_dobind_init[0]
Here's the relevant portion of slapd.conf:
database meta
suffix dc=local
rootdn cn=administrator,dc=local
rootpw secret
network-timeout 3
uri ldap://host1:3268/ou=dc1,dc=local
uri ldap://host2:3268/ou=dc1,dc=local
uri ldap://host3:3268/ou=dc1,dc=local
suffixmassage "ou=dc1,dc=local" "dc=example,dc=com"
idassert-bind bindmethod=simple
binddn="cn=proxyuser,dc=example,dc=com"
credentials="password"
idassert-authzfrom "dn.exact:cn=administrator,dc=local"
Am I doing something wrong or has the bug described in ITS#7050 crept
back in?
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
11 years, 1 month
Status of rfc2307bis?
by Pierre Girard
Hello,
When I look at the list of included schema with openldap
(http://www.openldap.org/doc/admin24/schema.html#Distributed Schema
Files) rfc2307bis isn't listed.
What is the status of that schema, is it obsolete? If I understand
correctly, it expired in 2009. Is that correct?
What we want to do is setup an LDAP server only to put automount
information, what would be the proper way of doing that, use the nis.schema?
Any recommendation?
Thanks for your help.
11 years, 1 month
syncrepl and glued databases
by Uwe Werler
Hello List,
is it OK to glue a database via replication from different suffixes together? What I tried:
syncrepl rid=010
provider=ldap://master01
searchbase="dc=example,dc=com"
keepalive=300:5:5
retry="10 10 300 10 600 +"
binddn="cn=syncuser,dc=example,dc=com"
bindmethod=simple
schemachecking=off
credentials=secret
scope=sub
attrs="*,+"
type=refreshAndPersist
syncrepl rid=020
provider=ldap://master02
searchbase="ou=glue1"
keepalive=300:5:5
retry="10 10 300 10 600 +"
binddn="cn=syncuser,dc=example,dc=com"
bindmethod=simple
schemachecking=off
credentials=secret
scope=sub
type=refreshAndPersist
attrs="*,+"
suffixmassage="ou=glue2,dc=example,dc=com"
syncrepl rid=030
provider=ldap://master03
searchbase="ou=glue2"
keepalive=300:5:5
retry="10 10 300 10 600 +"
binddn="cn=syncuser,dc=example,dc=com"
bindmethod=simple
schemachecking=off
credentials=secret
scope=sub
type=refreshAndPersist
attrs="*,+"
suffixmassage="ou=glue2,dc=example,dc=com"
This seems to work. Is this OK? Or should I use the traditional way with subordinate and glued databases?
Background: this replica should be the sync master for a bunch of other hosts.
Thanks for any hint.
Regards Uwe
11 years, 1 month
ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Jeffrey Parker
I cannot seem to find anything helpful about this issue. I had it working
before when I first setup OpenLDAP and I have not changed any settings
since then. The only thing I can seem to find is suggestion saying to use
-x when running ldappasswd. When I use -x I get the error below
Result: Strong(er) authentication required (8)
Additional info: only authenticated users may change passwords
I am running OpenLDAP, I am not sure what version but it is somewhat new.
It is running on Turnkey Linux (ubuntu 10.04 based) and is in a virtual
machine.
11 years, 1 month
Lazy ACLs and keeping your DIT as flat as possible
by Gavin Henry
Hi All,
I'm pretty sure that this isn't possible, but wanted to check as my
head hurts now.
I have dynamic lists using slapo-dynlist with the Organization
attribute of 'o' and I am trying to keep my DIT as flat as possible.
I want to create an ACL that is "by group", which is fine. But....I
don't want to hardcode a group.
I want to "capture" o via a regex and use that in the "by group" like so:
access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk"
attrs=o
val.regex="(.+)"
attrs=children,entry
by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read
by self write
or something like the following using a previous capture:
access to filter=(&(objectClass=inetOrgPerson)(o=$1))
by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk"
read
by self write
by * none
Issue is you can't pass captures between "access by" statements and my
ACLs are flawed based on what you're searching for, which would be
perfect. The goal being users in the same group can only see users on
ou=Users of that group, with out hard coding group name in the conf.
I guess I'll have to create branches to split up users. Then again,
I'm adding a group to ou=Groups, why shouldn't I at the same time add
a new ACL via cn=config?
Cheers.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
11 years, 1 month
pass-through authentication and base64
by sergio
Hello.
Is it possible to ask openldap not to encode magic tokens for
pass-through authentication? Now ldapsearch shows:
userPassword:: e1NBU0x9dXNlcm5hbWVAcmVhbG0K==
but I'd like to see:
userPassword:: {SASL}username@realm
instead.
--
sergio.
11 years, 1 month
Fwd: pass-through authentication and base64
by Brett Maxfield
> This decodes ok as
>
> {SASL}username@realm
>
> (omit the trailing ==, before decoding)
>
> So you mean to delegate auth to a sasl realm called 'realm', containing a user called 'username' ?
>
> Have you literally added this example value to an ldap entry and dumped it with slapcat ?
>
> On 15/08/2012, at 10:22 PM, sergio <mailbox(a)sergio.spb.ru> wrote:
>
>> On 08/15/2012 06:12 PM, Emmanuel Lécharny wrote:
>>
>>> e1NBU0x9dXNlcm5hbWVAcmVhbG0K==
>>
>> ONCE AGAIN:
>>
>> This is my bad example. Real values in the database have no newline or
>> some other non-ASCII non printable characters.
>>
>> It even can't be correctly decoded.
>>
>>
>> --
>> sergio.
>
11 years, 1 month
openldap 2.2 - slapd monitor not showing cachesize, dncachsize etc.
by ping-shin ching
Hi,
I've configured slapd.conf for monitoring with the config below. The backend is bdb
====database monitoraccess to * by * read====
Now when I do the search below, I see a lot of information, but do not see the attibutes 'cachesize', 'dncachesize' etc.
ldapsearch -x -D 'cn=Manager,o=bigpond,c=au' -W -b 'cn=Monitor' -s base '(objectClass=*)' '*' '+'
version: 1dn: cn=MonitorobjectClass: monitorServerstructuralObjectClass: monitorServercn: Monitordescription: This subtree contains monitoring/managing objects.description: This object contains information about this server.createTimestamp: 20120814040144ZmodifyTimestamp: 20120814040144ZmonitoredInfo: @(#) $OpenLDAP: slapd 2.2.30- (Aug 13 2012 11:53:25) $subschemaSubentry: cn=SubschemahasSubordinates: TRUE
dn: cn=Overlay,cn=MonitorobjectClass: monitorContainerstructuralObjectClass: monitorContainercn: OverlaycreateTimestamp: 20120814040144ZmodifyTimestamp: 20120814040144ZsubschemaSubentry: cn=SubschemahasSubordinates: FALSE
11 years, 1 month
