openldap-technical August 2012

openldap-technical@openldap.org

75 participants
91 discussions

Re: ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Dan White 18 Aug '12

18 Aug '12

Keeping replies on openldap-technical(a)openldap.org is recommended, since it gives you more eyes for your problem. >> On Thu, Aug 16, 2012 at 2:30 PM, Dan White <dwhite(a)olp.net> wrote: >>> On 08/16/12 14:06 -0700, Jeffrey Parker wrote: >>>>> I cannot seem to find anything helpful about this issue. I had it >>>>> working before when I first setup OpenLDAP and I have not changed >>>>> any settings since then. The only thing I can seem to find is >>>>> suggestion saying to use -x when running ldappasswd. When I use -x I >>>>> get the error below >>>>> >>>>> Result: Strong(er) authentication required (8) >>>>> Additional info: only authenticated users may change passwords >>>>> >>>>> >>>> If binding with -x, you'll need to provide a bind dn (-D) and a password. >>>> >>>> I am running OpenLDAP, I am not sure what version but it is somewhat >>>> new. >>>> >>>> The error messages is briefly discussed in the OpenLDAP Administrator's >>>> Guide (section H.17). >>>> >>>> Verify that you are able to bind to the server with 'ldapwhoami', with >>>> your credentials. Once that succeeds, verify that your entry contains >>>> a 'userPassword' attribute, and that the user you are binding with has >>>> the permissions to change it. >On Aug 17, 2012 9:08 AM, "Dan White" <dwhite(a)olp.net> wrote: >> On 08/16/12 15:32 -0700, Jeffrey Parker wrote: >> >>> The setup that I have is a bit strange, I am not using OpenLDAP to >>> authenticate operating system users. I am using it for other >>> authentication. The authentication works for usermin which I am using >>> as an interface to change passwords and for phpldapadmin, and for >>> Hudson continuous integration. That section that you mentioned in the >>> OpenLDAP Administrator's guide does not give any help it just says what >>> that means not any indication on what to do to fix it. As a side note >>> ldapwhoami does not work because I am not authenticated through ldap to >>> login to the computer. I can manually change the password in >>> phpldapadmin, but I need the users to be able to change their own >>> password which was working but now it is not working and I did not >>> change anything since the time that it was working. >> >> A cannot assist you with phpldapadmin or usermin. >> >> If you would like users to change their own passwords with the ldappasswd >> utility, then ldapwhoami is an acid test. Users must be able to >> authenticate to your ldap server before they can change their passwords for >> themselves. This is unrelated to how you, or your users, authenticate to >> the operating system. >> >> When password changes worked, what command (include command line >> parameters) did your users use? On 08/17/12 09:46 -0700, Jeffrey Parker wrote: >Usermin runs ldappasswd. The command-line options when it worked are the >same as I tried before, just ldappasswd. Users can authenticate without any >issue. Common ldappasswd examples include: for simple binds: ldappasswd -x -D "uid=jsmith,dc=example,dc=net" -W -s "new_password" for sasl binds: ldappasswd -Y digest-md5 -U jsmith -s "new_password" What are the contents of the following files, if they exist? /etc/ldap/ldap.conf (or your system's equivalent) $HOME/ldaprc $HOME/.ldaprc ./ldaprc Consult the manpages for ldap.conf and ldappasswd. -- Dan White

1 0

Re: ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Dan White 18 Aug '12

18 Aug '12

(Readding openldap-technical(a)openldap.org to the CC list) On 08/16/12 15:32 -0700, Jeffrey Parker wrote: >The setup that I have is a bit strange, I am not using OpenLDAP to >authenticate operating system users. I am using it for other >authentication. The authentication works for usermin which I am using as an >interface to change passwords and for phpldapadmin, and for Hudson >continuous integration. That section that you mentioned in the OpenLDAP >Administrator's guide does not give any help it just says what that means >not any indication on what to do to fix it. As a side note ldapwhoami does >not work because I am not authenticated through ldap to login to the >computer. I can manually change the password in phpldapadmin, but I need >the users to be able to change their own password which was working but now >it is not working and I did not change anything since the time that it was >working. A cannot assist you with phpldapadmin or usermin. If you would like users to change their own passwords with the ldappasswd utility, then ldapwhoami is an acid test. Users must be able to authenticate to your ldap server before they can change their passwords for themselves. This is unrelated to how you, or your users, authenticate to the operating system. When password changes worked, what command (include command line parameters) did your users use? >On Thu, Aug 16, 2012 at 2:30 PM, Dan White <dwhite(a)olp.net> wrote: > >> On 08/16/12 14:06 -0700, Jeffrey Parker wrote: >> >>> I cannot seem to find anything helpful about this issue. I had it working >>> before when I first setup OpenLDAP and I have not changed any settings >>> since then. The only thing I can seem to find is suggestion saying to use >>> -x when running ldappasswd. When I use -x I get the error below >>> >>> Result: Strong(er) authentication required (8) >>> Additional info: only authenticated users may change passwords >>> >> >> If binding with -x, you'll need to provide a bind dn (-D) and a password. >> >> >> I am running OpenLDAP, I am not sure what version but it is somewhat new. >>> It is running on Turnkey Linux (ubuntu 10.04 based) and is in a virtual >>> machine. >>> >> >> The error messages is briefly discussed in the OpenLDAP Administrator's >> Guide (section H.17). >> >> Verify that you are able to bind to the server with 'ldapwhoami', with your >> credentials. Once that succeeds, verify that your entry contains a >> 'userPassword' attribute, and that the user you are binding with has the >> permissions to change it. >> >> -- >> Dan White >> >> -- Dan White

1 0

slapd-meta doesn't continue with multiple uri's
by Liam Gretton 18 Aug '12

18 Aug '12

I've been trying to get slapd-meta to failover using multiple URIs but can't get it to work. Initially I was using 2.4.26, but having seen the report in ITS#7050 I've now built 2.4.32 but the problem is still there as far as I can tell. This bug was quashed in 2.4.29 according to the change log. In the example below, if host1 is not contactable at the point a search is performed, host2 will be contacted and the result returned correctly but ldapsearch then hangs indefinitely and the server's debug (level 1) output spews the following messages endlessly: ldap_sasl_bind ldap_send_initial_request ldap_int_poll: fd: 10 tm: 0 502a4634 conn=1001 op=1 <<< meta_search_dobind_init[0]=4 502a4634 conn=1001 op=1 >>> meta_search_dobind_init[0] Here's the relevant portion of slapd.conf: database meta suffix dc=local rootdn cn=administrator,dc=local rootpw secret network-timeout 3 uri ldap://host1:3268/ou=dc1,dc=local uri ldap://host2:3268/ou=dc1,dc=local uri ldap://host3:3268/ou=dc1,dc=local suffixmassage "ou=dc1,dc=local" "dc=example,dc=com" idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=example,dc=com" credentials="password" idassert-authzfrom "dn.exact:cn=administrator,dc=local" Am I doing something wrong or has the bug described in ITS#7050 crept back in? -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

3 13

Status of rfc2307bis?
by Pierre Girard 18 Aug '12

18 Aug '12

Hello, When I look at the list of included schema with openldap (http://www.openldap.org/doc/admin24/schema.html#Distributed Schema Files) rfc2307bis isn't listed. What is the status of that schema, is it obsolete? If I understand correctly, it expired in 2009. Is that correct? What we want to do is setup an LDAP server only to put automount information, what would be the proper way of doing that, use the nis.schema? Any recommendation? Thanks for your help.

1 0

syncrepl and glued databases
by Uwe Werler 17 Aug '12

17 Aug '12

Hello List, is it OK to glue a database via replication from different suffixes together? What I tried: syncrepl rid=010 provider=ldap://master01 searchbase="dc=example,dc=com" keepalive=300:5:5 retry="10 10 300 10 600 +" binddn="cn=syncuser,dc=example,dc=com" bindmethod=simple schemachecking=off credentials=secret scope=sub attrs="*,+" type=refreshAndPersist syncrepl rid=020 provider=ldap://master02 searchbase="ou=glue1" keepalive=300:5:5 retry="10 10 300 10 600 +" binddn="cn=syncuser,dc=example,dc=com" bindmethod=simple schemachecking=off credentials=secret scope=sub type=refreshAndPersist attrs="*,+" suffixmassage="ou=glue2,dc=example,dc=com" syncrepl rid=030 provider=ldap://master03 searchbase="ou=glue2" keepalive=300:5:5 retry="10 10 300 10 600 +" binddn="cn=syncuser,dc=example,dc=com" bindmethod=simple schemachecking=off credentials=secret scope=sub type=refreshAndPersist attrs="*,+" suffixmassage="ou=glue2,dc=example,dc=com" This seems to work. Is this OK? Or should I use the traditional way with subordinate and glued databases? Background: this replica should be the sync master for a bunch of other hosts. Thanks for any hint. Regards Uwe

1 0

ldappasswd gives error ldap_sasl_interactive_bind_s: No such attribute (16)
by Jeffrey Parker 17 Aug '12

17 Aug '12

I cannot seem to find anything helpful about this issue. I had it working before when I first setup OpenLDAP and I have not changed any settings since then. The only thing I can seem to find is suggestion saying to use -x when running ldappasswd. When I use -x I get the error below Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords I am running OpenLDAP, I am not sure what version but it is somewhat new. It is running on Turnkey Linux (ubuntu 10.04 based) and is in a virtual machine.

2 1

Lazy ACLs and keeping your DIT as flat as possible
by Gavin Henry 16 Aug '12

16 Aug '12

Hi All, I'm pretty sure that this isn't possible, but wanted to check as my head hurts now. I have dynamic lists using slapo-dynlist with the Organization attribute of 'o' and I am trying to keep my DIT as flat as possible. I want to create an ACL that is "by group", which is fine. But....I don't want to hardcode a group. I want to "capture" o via a regex and use that in the "by group" like so: access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk" attrs=o val.regex="(.+)" attrs=children,entry by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write or something like the following using a previous capture: access to filter=(&(objectClass=inetOrgPerson)(o=$1)) by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write by * none Issue is you can't pass captures between "access by" statements and my ACLs are flawed based on what you're searching for, which would be perfect. The goal being users in the same group can only see users on ou=Users of that group, with out hard coding group name in the conf. I guess I'll have to create branches to split up users. Then again, I'm adding a group to ou=Groups, why shouldn't I at the same time add a new ACL via cn=config? Cheers. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretec.co.uk Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API? http://www.surevoip.co.uk/api

1 1

pass-through authentication and base64
by sergio 16 Aug '12

16 Aug '12

Hello. Is it possible to ask openldap not to encode magic tokens for pass-through authentication? Now ldapsearch shows: userPassword:: e1NBU0x9dXNlcm5hbWVAcmVhbG0K== but I'd like to see: userPassword:: {SASL}username@realm instead. -- sergio.

7 16

Fwd: pass-through authentication and base64
by Brett Maxfield 16 Aug '12

16 Aug '12

> This decodes ok as > > {SASL}username@realm > > (omit the trailing ==, before decoding) > > So you mean to delegate auth to a sasl realm called 'realm', containing a user called 'username' ? > > Have you literally added this example value to an ldap entry and dumped it with slapcat ? > > On 15/08/2012, at 10:22 PM, sergio <mailbox(a)sergio.spb.ru> wrote: > >> On 08/15/2012 06:12 PM, Emmanuel Lécharny wrote: >> >>> e1NBU0x9dXNlcm5hbWVAcmVhbG0K== >> >> ONCE AGAIN: >> >> This is my bad example. Real values in the database have no newline or >> some other non-ASCII non printable characters. >> >> It even can't be correctly decoded. >> >> >> -- >> sergio. >

1 0

openldap 2.2 - slapd monitor not showing cachesize, dncachsize etc.
by ping-shin ching 16 Aug '12

16 Aug '12

Hi, I've configured slapd.conf for monitoring with the config below. The backend is bdb ====database monitoraccess to * by * read==== Now when I do the search below, I see a lot of information, but do not see the attibutes 'cachesize', 'dncachesize' etc. ldapsearch -x -D 'cn=Manager,o=bigpond,c=au' -W -b 'cn=Monitor' -s base '(objectClass=*)' '*' '+' version: 1dn: cn=MonitorobjectClass: monitorServerstructuralObjectClass: monitorServercn: Monitordescription: This subtree contains monitoring/managing objects.description: This object contains information about this server.createTimestamp: 20120814040144ZmodifyTimestamp: 20120814040144ZmonitoredInfo: @(#) $OpenLDAP: slapd 2.2.30- (Aug 13 2012 11:53:25) $subschemaSubentry: cn=SubschemahasSubordinates: TRUE dn: cn=Overlay,cn=MonitorobjectClass: monitorContainerstructuralObjectClass: monitorContainercn: OverlaycreateTimestamp: 20120814040144ZmodifyTimestamp: 20120814040144ZsubschemaSubentry: cn=SubschemahasSubordinates: FALSE

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2012