openldap-technical February 2013

openldap-technical@openldap.org

68 participants
72 discussions

How to search for all the dynamic groups a member belongs to?
by Carlos Santos 21 Feb '13

21 Feb '13

Hello to all of you, So, the situation is the following: I have a dynamic group (objectClass: groupOfURLs) and on my ldap filter I fetch the users UID. When I access the content of the group, there are a set of members there, one of them is testUser1, but when I search for (&(objectClass=groupOfURLs)(uid=testUser1)) the search result is empty. However when I search for an attribute which is native to the class, such as owner, the search returns the group. Is it possible for an ldap search to return the dynamic groups a user belongs to? -- cumprimentos, Carlos Santos

2 1

paged search fails through proxy
by Eimar Koort 20 Feb '13

20 Feb '13

Hi, I'm a bit in dead end. Scenario: Active Direcotory & openldap (2.4.33) proxy. Paged search through proxy is not working. I'm not sure about this OID "1.2.840.113556.1.4.1339". OpenLdap ldap.h tells that this oid is LDAP_CONTROL_X_DOMAIN_SCOPE. According to O'Reilly AD cookbook: "No referrals generated" with longer description "Informs the server not to generate any referrals in a search response". May this be the reason for paged search to fail? Same query runs without any problems directly within Active Directory domain controller's. As i read from google, it should be possible to make paged search work, but i can't figure it out how. eimar@box: /tmp > ldapsearch -LLL -H ldaps://olp-test.example.ee -P 3 -E pr=500/noprompt -D "CN=ldap-auth,CN=Users,DC=example,DC=ee" -W -b "ou=workers,dc=example,dc=ee" "(objectClass=person)" samaccountname -s sub > results.txt Enter LDAP Password: Size limit exceeded (4) eimar@box: /tmp > grep dn\: results.txt | wc -l 1000 which is the default search limit in AD. Openldap proxy log: Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10) Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=0 matched="" text="" Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10) Feb 20 12:45:27 olp-test slapd[1788]: SRCH "ou=workers,dc=example,dc=ee" 2 0 Feb 20 12:45:27 olp-test slapd[1788]: 0 0 0 Feb 20 12:45:27 olp-test slapd[1788]: filter: (objectClass=person) Feb 20 12:45:27 olp-test slapd[1788]: attrs: Feb 20 12:45:27 olp-test slapd[1788]: samaccountname Feb 20 12:45:27 olp-test slapd[1788]: 1.1 Feb 20 12:45:27 olp-test slapd[1788]: sub Feb 20 12:45:27 olp-test slapd[1788]: Feb 20 12:45:27 olp-test slapd[1788]: conn=1007 op=1: non-critical control "1.2.840.113556.1.4.1339" not supported; stripped. Feb 20 12:45:27 olp-test slapd[1788]: => ldap_back_munge_filter "(objectClass=person)" Feb 20 12:45:27 olp-test slapd[1788]: <= ldap_back_munge_filter "(objectClass=person)" (0) Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=4 matched="" text="" Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10) And here is my slapd.conf: olp-test /usr/local/etc/openldap # cat slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit unlimited #limits * size.pr=unlimited size.prtotal=unlimited modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_ldap loglevel 4 TLSCipherSuite ALL:!ADH:@STRENGTH TLSCACertificateFile /usr/local/etc/openldap/certs/cert.crt TLSCertificateFile /usr/local/etc/openldap/certs/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/certs/cert.pem TLSVerifyClient try database ldap suffix "dc=example,dc=ee" rootdn "dc=example,dc=ee" uri "ldaps://dc1.example.ee:636/" idassert-bind bindmethod=simple binddn="CN=LDAP-Auth,CN=Users,DC=example,DC=ee" credentials="somepw" mode=anonymous flags=override idassert-authzFrom "dn.regex:.*" overlay pcache readonly on proxycache bdb 3500 1 50 1200 directory /var/db/openldap-data index cn,sn,uid eq,sub index objectclass eq proxycachequeries 400 proxyattrset 0 uid mail cn sn givenName proxytemplate (uid=) 0 600 proxytemplate (mail=) 0 600 proxytemplate (&(uid=)(mail=)) 0 600 Regards -- Eimar Koort ( eimar.koort(a)gmail.com )

1 0

modifying cn=config - Invalid credentials (49)
by Asmaa Ahmed 20 Feb '13

20 Feb '13

Hi, I am trying to modify cn=config, but I don't understand why It doesn't work any more. root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,cn=config' -W ldap_initialize( <DEFAULT> )Enter LDAP Password: ldap_bind: Invalid credentials (49)root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,^C-W root@auth-dev:/etc/ldap# cat /etc/ldap/slapd.d/cn=config/olcDatabase\=\{0\}config.ldifdn: olcDatabase={0}configobjectClass: olcDatabaseConfigolcDatabase: {0}configolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * breakolcRootDN: cn=admin,cn=configstructuralObjectClass: olcDatabaseConfigentryUUID: 7904eb62-0b79-1032-92e0-3d0a3fa53956creatorsName: cn=configcreateTimestamp: 20130215050825ZentryCSN: 20130215050825.984665Z#000000#000#000000modifiersName: cn=configmodifyTimestamp: 20130215050825Z Thanks.

4 10

Compile openldap library with GSSAPI enabled
by Michele 20 Feb '13

20 Feb '13

Hi all, I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.

3 6

ldapi without TLS and ldap with TLS?
by Patrick Lists 20 Feb '13

20 Feb '13

Hi, I'm tying achieve the following with OpenLDAP RE24 from last week: Connections on ldapi:/// are plain text and ldap connections require TLS with client cert auth. I thought I could do that with: # global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap34/slapd34.args olcPidFile: /var/run/openldap34/slapd34.pid olcLogFile: /var/log/openldap34/slapd34.log olcLogLevel: -1 olcTLSCACertificateFile: /etc/pki/tls/certs/ca.crt olcTLSCertificateFile: /etc/pki/tls/certs/server.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/server.key olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH olcTLSVerifyClient: demand <--- olcLocalSSF: 0 <--- olcSecurity: tls=256 <--- Since I'm seeing the error below clearly I thought wrong: 5121a107 >>> slap_listener(ldapi:///) 5121a107 daemon: listen=11, new connection on 15 5121a107 daemon: added 15r (active) listener=(nil) 5121a107 conn=1009 fd=15 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi) [snip] 5121a107 conn=1009 op=0 BIND dn="cn=ReadOnly,dc=example,dc=com" method=128 5121a107 do_bind: version=3 dn="cn=ReadOnly,dc=example,dc=com" method=128 5121a107 send_ldap_result: conn=1009 op=0 p=3 5121a107 send_ldap_result: err=13 matched="" text="TLS confidentiality required" [snip] 5121a107 conn=1009 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Anyone have an idea how I can achieve my goal? Thanks! Patrick

2 4

Problem in user authentication with LDAP + SSSD
by Cristiane França 19 Feb '13

19 Feb '13

Hi, I'm an authentication problem with my server CentOS 6.3, there are installer LDAP (openldap-2.4.23-26) and SSSD (sssd-1.8.0-32). The LDAP server is working fine but the integration between LDAP + SSSD has a problem because it can not authenticate the user on the server Can anyone help me identify the problem? I've revised all the configuration and found nothing wrong. ::::: slapd.conf ::::: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem access to * by self write by users auth by anonymous read database bdb suffix "dc=domain,dc=com,dc=br" checkpoint 1024 15 rootdn "cn=Manager,dc=domain,dc=com,dc=br" rootpw xxxxxxxxxx directory /database/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor loglevel 768 ::::: sssd.conf ::::: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 debug_level = 8 [domain/default] ldap_tls_reqcert = never auth_provider = ldap ldap_id_use_start_tls = False chpass_provider = ldap krb5_realm = EXAMPLE.COM cache_credentials = True debug_timestamps = True ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=com,dc=br debug_level = 9 id_provider = ldap ldap_default_bind_dn = cn=Manager,dc=domain,dc=com,dc=br min_id = 100 ldap_uri = ldap://localhost/ krb5_kdcip = kerberos.example.com ldap_default_authtok = xxxxxxxxxx ldap_tls_cacertdir = /etc/openldap/cacerts :::: nsswitch.conf ::::: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases: files nisplus LOG: Feb 18 14:50:01 primario slapd[16064]: conn=1119 op=185 SRCH base="dc=domain,dc=com,dc=br" scope=2 deref=0 filter="(&(uid=cristiane)(objectClass=posixAccount))" Feb 18 14:50:01 primario slapd[16064]: conn=1119 op=185 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap Feb 18 14:50:01 primario slapd[16064]: conn=1119 op=185 SEARCH RESULT tag=101 err=32 nentries=0 text= Thanks Cristiane

2 1

Where is the TLSCertificateFile in cn=config?
by Sascha Ziemann 19 Feb '13

19 Feb '13

I am looking for the right DN in the cn=config tree for the following options of the legacy slapd.conf file: TLSCertificateFile /path/to/server-certificate.pem TLSCertificateKeyFile /path/to/private-key.pem TLSCACertificateFile /path/to/CA-certificates Where do I have to put the path names? Maybe someone can update the FAQ: http://www.openldap.org/faq/data/cache/185.html

2 1

How to create cn=config DIT
by arantza serrano 18 Feb '13

18 Feb '13

Hello, I've installed my first openldap using the source downloaded in openldap web pages. when the make install finishs i don't find the cn=config DIT, it hasn't been created during intallation process. How can i created the cn=config directory after the installation? Sorry if i'm asking a foolishness Thanks

3 3

does openldap/hdb support transactions ?
by Benin Technologies 18 Feb '13

18 Feb '13

Hi, They say that Berkeley HDB is an ACID database, but does OpenLDAP support transactions ? And if yes, how do you start and commit/rollback a transaction ? Thanks Ben

3 2

User Private Groups
by Omar Hijab 18 Feb '13

18 Feb '13

Hello, Does openLDAP support User Private Groups by having memberOf return a fake self-group through some rewriting rule? Our campus has a SUN LDAP for user data that is not under our control. Our Mac and Linux clients use it for authentication. This server does not provide group management as a service. Because of this, we set up a separate openLDAP server to create/store groups. With clients bound to both servers, this works seamlessly. Because of this, we want our server to respond to memberOf queries with a fake private self-group in addition to legitimate groups the user is in, this without creating and storing private groups on our server. Is this do-able? Omar ----------------------------------------------------------------------- Omar Hijab Associate Dean for Faculty Affairs and Operations College of Science and Technology Temple University Email: hijab(a)temple.edu Web: http://www.cst.temple.edu/~hijab/ ------------------------------------------------------------------------

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2013