LDAP Entry with gecos
by rodrigo tavares
Hello !
I create one samba user with command:
smbldap-useradd -a xbox -c "Game XBOX" -S "Sell games" -d /home/xbox -s /bin/false
Then I type:
smbldap-passwd xbox #define password ldap user
smbpasswd -a xbox # create user samba
So. I can to make login in my domain.
I checked atributtes gecos is: SystemUser.
After I log in domain, in the top menu windows show:System User.
I changed this value gecos, but each login the gecos show System User.
It´s no changed never.
This command in line 2, not define gecos in LDAP, give default with "System user".
If i change the value gecos in LDAP before te fist login, the gecos is with value correct.
Any sugesstion ?
Thanks.
Rodrigo Faria
11 years, 1 month
openldap + qmail + openbsd
by Friedrich Locke
Dear fellows,
i am planning to build a mail server and would like to use the
following technologies :
OpenBSD 5.1 amd64
qmail-ldap-1.03-20120221
qmail-1.03
Does anybody here run an environment like ?
Are you aware of buggy stuf like openldap eating all system memory
while qmail connect/disconnect to it (slapd) ?
Is there any problem with the latest ldap patch release to be applied
to stock qmail-1.03 ?
Thanks a lot for your time and cooperation.
[]s gustavo.
PS: Anyone from Brazil in this mailing list ? Using such technologies ?
11 years, 1 month
got into a "checksum error" situation
by Jeff Dickens
I was following an Ubuntu howto at
https://help.ubuntu.com/12.04/serverguide/openldap-server.html ,which has
served me well so far, and I was working on the part where TLS is set up.
I made an ldif file like:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/grackle_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/grackle_slapd_key.pem
and, well, I blew it.. I initially had a typo in it, and the server cert
and key weren't where I said they were.
I ran ldapmodify to load the ldif file above:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
Then I tried to restart slapd, and perhaps unsurprisingly it did not
restart.
Aug 8 16:41:30 grackle slapd[1660]: @(#) $OpenLDAP: slapd (Jul 26 2012
00:10:41) $#012#011buildd@aatxe
:/build/buildd/openldap-2.4.28/debian/build/servers/slapd
Aug 8 16:41:30 grackle slapd[1660]: main: TLS init def ctx failed: -1
Aug 8 16:41:30 grackle slapd[1660]: slapd stopped.
Aug 8 16:41:30 grackle slapd[1660]: connections_destroy: nothing to
destroy.
So I thought I just fix my ldif file, which I did, and then run ldapmodify
again. But no, that clearly wasn't going to work because slapd wasn't
running. Not knowing what else to do, I removed the lines containing
"olcTLS" from /etc/ldap/slapd.d/cn=config.ldif. Then I was able to restart
slapd (congratulating myself) and then re-ran my ldapmodify command to
enter the correct locations of the cert and key. But I still get a
checksum error in syslog:
Aug 8 17:04:53 grackle slapd[2028]: slapd starting
Aug 8 17:05:01 grackle slapd[2028]: ldif_read_file: checksum error on
"/etc/ldap /slapd.d/cn=config.ldif"
I haven't even tried to see if I have TLS working, but I have two questions:
#1. How should I have recovered from this (human) error? What I did
didn't seem to work out very well.
and
#2. How do I un-screw my config and resolve the checksum problem?
Thanks in advance for any assistance.
--
* Jeff Dickens*
IT Manager 978-632-1513
11 years, 1 month
Virtual view using slapd-relay: dn mapping failure
by Guillaume Rousse
Hello list.
I'm trying to provide a virtual view of the user branch in my legacy
ldap directory. Basically, the real branch uses 'localLogin' as login
attribute, and not 'uid', as usual, which unfortunatly breaks hard-coded
rules in some applications.
This configuration creates a virtual 'ou=users' branch, mapped on actual
'ou=people', with real 'localLogin' attribute mapped to 'uid', and real
'uid' one removed:
# virtual database
database relay
suffix ou=users,dc=domain
relay ou=people,dc=domain
overlay rwm
rwm-suffixmassage ou=people,dc=domain
rwm-map attribute uid localLogin
rwm-map attribute uid
access to dn.subtree="ou=users,dc=domain" attrs=userPassword
by anonymous auth
access to dn.subtree="ou=users,dc=domain"
by * read
# main database
database bdb
suffix "dc=domain"
However, the actual 'uid' attribute is also used as RDN in the actual
branch, and bind operation fails, because DN mapping is incomplete:
uid=rousse,ou=users,dc=domain -> uid=rousse,ou=people,dc=domain
Wheras I'd need this, where somethingelse is the value for the actual
'uid' attribute:
uid=rousse,ou=users,dc=domain -> uid=somethingelse,ou=people,dc=domain
I read rwm man page carefully, but it is a bit tough to understand. So,
how am I supposed to achieve this ?
--
BOFH excuse #219:
Recursivity. Call back if it happens again.
11 years, 1 month
(no subject)
by 非人協會
Dear All,
I am new to ldap, I would like to have your kindness assistance in setting
up the directory.
We are working on move our old ldap server to a new openldap server, I have
install the openldap in Solaris 10 x86 successfully. However I am not able
to browse the content using the ldap browser, it shows "Invalid
Credentials".
this is what we change in slapd.conf
suffix "o=Cname"
rootdn "cn=Manager,ou=Dname,o=Cname"
rootpw password
This is what we have in slapd.ldif
olcSuffix: o=Cname
olcRootDN: cn=Manager,ou=Dname,o=Cname
olcRootPW: password
Herewith is the debug log
5021e2df daemon: activity on 1 descriptor
5021e2df slap_listener_activate(8):
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df >>> slap_listener(ldap:///)
5021e2df daemon: select: listen=8 busy
5021e2df daemon: listen=8, new connection on 12
5021e2df daemon: activity on 1 descriptor
5021e2df daemon: added 12r (active) listener=0
5021e2df conn=1002 fd=12 ACCEPT from IP=10.122.39.115:54220 (IP=0.0.0.0:389)
5021e2df daemon: waked
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df daemon: select: listen=8 active_threads=0 tvp=NULL
5021e2df daemon: activity on 1 descriptor
5021e2df daemon: activity on:5021e2df 12r5021e2df
5021e2df daemon: read activity on 12
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df connection_get(12)
5021e2df connection_get(12): got connid=1002
5021e2df connection_read(12): checking for input on id=1002
5021e2df daemon: select: listen=8 active_threads=0 tvp=NULL
ber_get_next
ldap_read: want=8, got=8
0000: 30 2f 02 01 04 60 2a 02 0/...`*.
ldap_read: want=41, got=41
0000: 01 03 04 1b 63 6e 3d 4d 61 6e 61 67 65 72 2c 6f ....cn=Manager,o
0010: 75 3d 44 6e 61 6d 65 2c 6f 3d 43 6e 61 6d 65 80 u=Dname,o=Cname.
0020: 08 70 61 73 73 77 6f 72 64 .password
ber_get_next: tag 0x30 len 47 contents:
ber_dump: buf=83e3f10 ptr=83e3f10 end=83e3f3f len=47
0000: 02 01 04 60 2a 02 01 03 04 1b 63 6e 3d 4d 61 6e ...`*.....cn=Man
0010: 61 67 65 72 2c 6f 75 3d 44 6e 61 6d 65 2c 6f 3d ager,ou=Dname,o=
0020: 43 6e 61 6d 65 80 08 70 61 73 73 77 6f 72 64 Cname..password
5021e2df op tag 0x60, time 1344398047
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5021e2df daemon: activity on 1 descriptor
5021e2df conn=1002 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=83e3f10 ptr=83e3f13 end=83e3f3f len=44
0000: 60 2a 02 01 03 04 1b 63 6e 3d 4d 61 6e 61 67 65 `*.....cn=Manage
0010: 72 2c 6f 75 3d 44 6e 61 6d 65 2c 6f 3d 43 6e 61 r,ou=Dname,o=Cna
0020: 6d 65 80 08 70 61 73 73 77 6f 72 64 me..password
ber_scanf fmt (m}) ber:
ber_dump: buf=83e3f10 ptr=83e3f35 end=83e3f3f len=10
0000: 00 08 70 61 73 73 77 6f 72 64 ..password
5021e2df >>> dnPrettyNormal: <cn=Manager,ou=Dname,o=Cname>
5021e2df daemon: waked
=> ldap_bv2dn(cn=Manager,ou=Dname,o=Cname,0)
<= ldap_bv2dn(cn=Manager,ou=Dname,o=Cname)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Manager,ou=Dname,o=Cname)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,ou=dname,o=cname)=0
5021e2df <<< dnPrettyNormal: <cn=Manager,ou=Dname,o=Cname>,
<cn=manager,ou=dname,o=cname>
5021e2df conn=1002 op=0 BIND dn="cn=Manager,ou=Dname,o=Cname" method=128
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df do_bind: version=3 dn="cn=Manager,ou=Dname,o=Cname" method=128
5021e2df daemon: select: listen=8 active_threads=0 tvp=NULL
5021e2df ==> bdb_bind: dn: cn=Manager,ou=Dname,o=Cname
5021e2df bdb_dn2entry("cn=manager,ou=dname,o=cname")
5021e2df => bdb_dn2id("o=cname")
5021e2df <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair
found (-30988)
5021e2df send_ldap_result: conn=1002 op=0 p=3
5021e2df send_ldap_result: err=49 matched="" text=""
5021e2df send_ldap_response: msgid=4 tag=97 err=49
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 04 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 04 61 07 0a 01 31 04 00 04 00 0....a...1....
5021e2df conn=1002 op=0 RESULT tag=97 err=49 text=
5021e2df daemon: activity on 1 descriptor
5021e2df daemon: activity on:5021e2df 12r5021e2df
5021e2df daemon: read activity on 12
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df connection_get(12)
5021e2df connection_get(12): got connid=1002
5021e2df daemon: select: listen=8 active_threads=0 tvp=NULL
5021e2df connection_read(12): checking for input on id=1002
ber_get_next
ldap_read: want=8 error=Connection reset by peer
5021e2df ber_get_next on fd 12 failed errno=131 (Connection reset by peer)
5021e2df connection_read(12): input error=-2 id=1002, closing.
5021e2df connection_closing: readying conn=1002 sd=12 for close
5021e2df connection_close: conn=1002 sd=12
5021e2df daemon: removing 12
5021e2df daemon: activity on 1 descriptor
5021e2df conn=1002 fd=12 closed (connection lost)
5021e2df daemon: waked
5021e2df daemon: select: listen=7 active_threads=0 tvp=NULL
5021e2df daemon: select: listen=8 active_threads=0 tvp=NULL
Any help would be greatly appreciated
Thanks and Regards,
Donald
11 years, 1 month
sasl bind error -1 because of socket error 54
by Max Kunz
Hello,
i try to bind to an server using the ldap_sals_bind_s function. The Host is not localhost, but is accessible via internet. I'v tested the connection with a java based ldap browser. When i try to do this using my simple c++ program, it fails with error -1.
Here is what the program actually do:
//initialize returns success
result = ldap_initialize( &ld, host);
result = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
//set this option only after successful bind?
result = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
//the synchronous bind function returns -1 server down
result = ldap_sasl_bind_s(ld, root_dn, LDAP_SASL_SIMPLE, &credential, NULL,NULL, &serverReturnedCredentials);
When I use the asynchronous ldap_sals_bind() function, it returns 0 ldap_success. (I`m also able to create a simple socket to this particular server and port). The error -1 comes from the following ldap_result() function. The problem here is that the socket throws a sock_errno 54 (connection reset by peer).
Someone an idea why the connection always will be disturbed?
Thanks for any help
best regards, Max
11 years, 1 month
Referral to single attributes
by Florian Götz
Hi,
maybe someone has experienced the same problem. Take the following example.
You would like to use one LDAP server (replicated of course) for
multiple Domains. Like
ou=users,ou=department1,dc=company,dc=de
ou=users,ou=department2,dc=company,dc=de
ou=users,ou=maindep,dc=company,dc=de
...
Each department has its own domain, all users are part of maindep, some
of those users are part of dep1 too and some of dep2.
So you have the maindep tree for the general use (uid and password for
things like mail, vpn and a genereal purpose domain) and the smaller
dep1 or dep2 for the use with the workstations of the department. The
uid of a user is always the same across the trees
(uid=mikecharlie,ou=dep1,... = uid=mikecharlie,ou=maindep).
The single departments are responsible for their users (creation and
deletion of accounts in their subtrees).
The maindep-Tree gets managed by IT center staff.
Now every department could work with their domain and users (and only
those) , but all users would have a general "account" for stuff that
doesnt belong to their department alone.
The big problem is the sync of the passwords from subtree to subtree
(dep1 to maindep or dep2 to maindep).
Our users get confused if they have password1 for the login at a
workstation and password2 for mail etc.
But the departments want to have their own domains where they have the
control who is able to login or not, BUT they want to have syncronized
passwords.
Is there a possibility to refer to single attributes?
Like uid=mikecharlie,ou=dep1,dc=company,dc=de -> userPassword -> look at
uid=mikecharlie,ou=maindep,dc=hs-mannheim,dc=de -> userPassword.
Best regards
Flo
--
Mit freundlichen Grüßen
Florian Götz
-----------------------------------------------------------------
Dipl.-Inf. (FH) Florian Götz
Rechenzentrum Hochschule Mannheim
Paul-Wittsack-Straße 10
68163 Mannheim
Tel: 0621/292-6232
EMail: f.goetz(a)hs-mannheim.de
Internet: http://www.rz.hs-mannheim.de
-----
11 years, 1 month
MDB configuration admin guide
by Yajuvendra Singh
Hi Experts,
I have just started working on openldap and configured my openldap with MDB.
I am not able to locate the MDB configuration and admin guide which talks
about administration of openldap with mdb.
I am not clear about the configuration or changes i need to do to change my
release from BDB to MDB.
Can anyone point me where i can find these document.
Thanks and Regards,
Yajuvendra
11 years, 1 month
personalization
by Jignesh Patel
I have a requirement to support personalization. I didn't find many
articles to do that. Please point me some of the articles related to it.
-Jignesh
11 years, 1 month
ACL processing: subtractive privs (using control continue)
by Dora Paula
Hi List,
just another short question regarding incremental privileges, given the
following acl:
access to dn.subtree="o=test" attrs=description
by self =dxcsraz continue
by users -z
by * none
Subtracting "z" results in the access mask "=dxcsr". As I expected the
resulting access mask to be "=dxcsra", I would like to know whether
"=dxcsr" is the correct result, and if so, why?
Many thanks again!
A small testbed containing sample ldif data, ldapmodify test command and
the produced slapd.log (level 128) follows here:
sample ldif data:
===============
dn: o=test
objectClass: organization
objectClass: top
o: test
dn: ou=persons,o=test
objectClass: organizationalUnit
objectClass: top
ou: persons
dn: cn=PersonA,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonA
sn: PersonA
userPassword:: UGVyc29uQQ==
test command using ldapmodify:
=============================
deepee@test:~$ /opt/openldap-acl/bin/ldapmodify -x -H
"ldap://localhost:1389" -D "cn=PersonA,ou=persons,o=test" -w PersonA <<EOF
dn: cn=PersonA,ou=persons,o=test
changetype: modify
add: description
description: PersonA1
EOF
modifying entry "cn=PersonA,ou=persons,o=test"
ldap_modify: Insufficient access (50)
slapd.log level 128:
=================
501fb8b7 => access_allowed: result not in cache (userPassword)
501fb8b7 => access_allowed: auth access to
"cn=PersonA,ou=persons,o=test" "userPassword" requested
501fb8b7 => dn: [1] o=test
501fb8b7 => acl_get: [1] matched
501fb8b7 => acl_get: [2] attr userPassword
501fb8b7 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test",
attr "userPassword" requested
501fb8b7 => acl_mask: to value by "", (=0)
501fb8b7 <= check a_dn_pat: self
501fb8b7 <= check a_dn_pat: users
501fb8b7 <= check a_dn_pat: anonymous
501fb8b7 <= acl_mask: [3] applying auth(=xd) (stop)
501fb8b7 <= acl_mask: [3] mask: auth(=xd)
501fb8b7 => slap_access_allowed: auth access granted by auth(=xd)
501fb8b7 => access_allowed: auth access granted by auth(=xd)
501fb8b7 => access_allowed: result not in cache (description)
501fb8b7 => access_allowed: add access to "cn=PersonA,ou=persons,o=test"
"description" requested
501fb8b7 => dn: [1] o=test
501fb8b7 => acl_get: [1] matched
501fb8b7 => acl_get: [1] attr description
501fb8b7 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test",
attr "description" requested
501fb8b7 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501fb8b7 <= check a_dn_pat: self
501fb8b7 <= acl_mask: [1] applying =wrscxd (continue)
501fb8b7 <= acl_mask: [1] mask: =wrscxd
501fb8b7 <= check a_dn_pat: users
501fb8b7 <= acl_mask: [2] applying -z (stop)
501fb8b7 <= acl_mask: [2] mask: =rscxd
501fb8b7 => slap_access_allowed: add access denied by =rscxd
501fb8b7 => access_allowed: no more rules
BTW: Replacing the first by clause using "self write" or "self =dxcsrw",
also results in "=dxcsr"
JFF: Replacing the second by clause using "users -a", the test results
in the above mask (=dxcsr), too.
11 years, 1 month
