Double escaping \ in regex in slapo-constraint directives in slapd.conf
by Tim Watts
Could someone make sure I'm not going mad before I call this a bug?
In slapd.conf:
constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\.[a-z0-9\-]+)*$
stick this into ldapmodify and it is allowed:
replace: mail
mail: mrwibble-bble@example#com
This looks like the last \. is being parsed to . before the regex engine
sees it.
With this regex:
constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\-]+)*$
the constraint acts on mrwibble-bble@example#com
but allows
mrwibble-bble(a)example.com
which is correct.
Is this a bug in the code, a bug in man -S5 slapo-constraint
(which does not mention double escaping is necessary) or am I insane?
Makes me wonder what is happening with the \-
Hmm
Both:
constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\-]+)*$
and
constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\\-]+)*$
accept mrwibble-bble(a)example.c-o-m
I'll investigate further is someone would kindly rule out anything I may
have overlooked.
Cheers,
Tim
--
Tim Watts
Personal Blog: http://squiddy.blog.dionic.net/
http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage
8 years, 9 months
Re: Mirror mode and cn=config replication
by John Baker
Thanks for the reply,
gnutls is a pain but we've been able to make it work and the boss hates it
when we use source so I'm kind of stuck with it as it is unless I can make
a better case than ssl.
So mirror mode is really defined by the load balancer in front? I guess
this is a bit confusing in the documentation because multi-master has a
more complex configuration.
As of right now then we are really using multi-master with two servers and
the very simple example configuration that's laid out under mirror mode at
http://www.openldap.org/doc/admin24/replication.html. But the plan is to
upgrade and put load balancing in front. And then we want to use a couple
of slaves with limited directories in front of those for constant lookups
from services like mail. We are trying to get he benefits of load balancing
for heavy writing without having one point of failure for critical services
that need a lot of lookups but no writes.
I'm testing a setup with the load balancer right now. Can schema changes in
cn=config be sent to the the load balancer and slaves as well?
On Mon, Mar 4, 2013 at 4:00 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Monday, March 04, 2013 3:39 PM -0500 John Baker <johnnyb(a)marlboro.edu>
> wrote:
>
> Hi,
>>
>>
>> We have been using mirror mode for some time as a simple way for us to
>> have an up to date copy in case of a crash and load balancing. We have
>> been using the older slapd.conf configuration in Ubntu Hardy and are now
>> moving up to 2.4.28 in Ubuntu Precise.
>>
>
> a) Don't use builds provided by Debian/Ubuntu. Build something sane
> linked to OpenSSL.
> b) Use a current release (2.4.34)
> c) There is no difference in configuration between "Mirror Mode" and MMR.
> They are the exact same thing configuration wise. The *only* difference is
> that with "mirror mode" you use some sort of balancer so that only a single
> server is available for writes at a given time.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
8 years, 9 months
Mirror mode and cn=config replication
by John Baker
Hi,
We have been using mirror mode for some time as a simple way for us to have
an up to date copy in case of a crash and load balancing. We have been
using the older slapd.conf configuration in Ubntu Hardy and are now moving
up to 2.4.28 in Ubuntu Precise.
The documentation for N-way multi master mentions that cn=config can be
replicated. Can this be done in mirror mode as well?
The part I'm particularly trying to figure out is how schema and password
policy changes can be sent to both mirrors as well as the proxy and slaves
so that we don't have to add ldifs manually an each server.
--
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
8 years, 9 months
Combining AD and Local DB into single 'virtual' tree
by Mailing Lists
Hello,
I posted a question along these lines a few months ago and received
replies, but never understood enough to implement them. I've done more
research in the meantime and hopefully have learned enough to ask this
question intelligently.
I'm working on a project proposal for integrating Linux machines into a
Windows environment. The client is very concerned about their AD
environment and wants to do as little modification to it as possible
(preferably none).
What I'd like to propose is that we set up an OpenLDAP server that chains
to AD. If possible, I would like to use the OpenLDAP client's credentials
to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD
connection. I believe this can be accomplished with the 'rebind-as-user'
option of the ldap backend (slapd-ldap). Is this correct?
Now here's where I think it gets tricky. We also need to be able to store
information for the Linux boxes in LDAP (samba winbind mappings for
example), but keep it separate from AD. I know that part of this would
require a dedicated LDAP database backend (slapd-bdb) to be configured, but
what confuses me is how to combine these two separate entities (the AD
proxy and this bdb database) into one 'virtual' backend that clients can
query against. Is this where slapd-translucent would come into play?
Finally, if I want to create OUs in the Linux LDAP database that contain
user DNs from AD, is that possible?
Any guidance, example solutions, or suggested reading is greatly
appreciated.
-Dave
8 years, 9 months
Openldap doesn't force password change and other related problems
by Francesco Belli
Hello All,
I probably have something misconfigured on my openldap server, but it seems that this is not so easy to debug (for me).
I use openldap 2.4.23 with ppolicy and accesslog overlays.
I have the following behaviours:
- when pwdMustChange and pwdReset are set to true, after login, user is not prompted to change the password, however if I run:
[def_auditor@localhost fbelli]$ ldapwhoami -x -e ppolicy -D uid=def_auditor,ou=people,dc=pippo,dc=com -w ****** -ZZ -H ldap://mkernel
ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds)
dn:uid=def_auditor,ou=people,dc=pippo,dc=com
- When there are less of pwdExpireWarning seconds and user authenticates (bash shell or ldapsearch), it doesn't get any warning.
- When password is expired and user uses one of his pwdGraceAuthNLimit, he doesn't get any warning (but it will get lockedout after).
It looks like that for some reason the openldap server doesn't send warnings back to the user. However if user tryes to change the password to one that doesn't match the policy, it gets the correct warnings.
Following there is my standard password policy:
dn: ou=Policies,dc=aivp,dc=vtp
ou: Policies
description: Directory policies.
objectClass: organizationalUnit
dn: cn=Standard,ou=Policies,dc=aivp,dc=vtp
cn: Standard
description: Standard password policy.
pwdAttribute: 2.5.4.35
pwdMinAge: 172800
pwdMaxAge: 5184000
pwdCheckQuality: 1
pwdCheckModule: check_password.so
pwdMinLength: 8
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 1
pwdInHistory: 20
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdFailureCountInterval: 1200
pwdMustChange: TRUE
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
Overlay configuration:
dn: olcOverlay={2}ppolicy
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=Standard,ou=Policies,dc=aivp,dc=vtp
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE
And an example of an user when first inserted:
dn: uid=def_auditor,ou=people,dc=aivp,dc=vtp
cn: def_auditor
gidnumber: 601
homedirectory: /home/def_auditor
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
objectclass: top
uid: def_auditor
uidnumber: 634
userPassword:: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=
pwdReset: TRUE
Thanks in advance for any advice
Best Regards,
Francesco Belli
8 years, 9 months
N-WAY replication cn=config and virtual IP
by Lanfeust troy
Hi all,
today i have a little problem with openldap configuration.
I have 2 server configured as N-WAY replication on database and cn=config.
into cn=config we have
olcServerId: 1 ldap://ldap-int1.domaine.fr
olcServerId: 2 ldap://ldap-int2.domaine.fr
replication is working.
However to provide service to client we want to use a Virtual IP adresse. (
ldap-int-vip.domaine.fr )
On two server i have installed keepalived demon to manage Virtual IP.
On nominal time the VIP is owned by ldap-int1 but she can going on ldap-int2
My problem is the slapd binary which don't want to start on secondary server
I want to start slapd demon on all interface but if we use ldap://* in
command line to start slapd he say:
read_config: no serverID / URL match found. Check slapd -h arguments.
How to make this configuration ?
thanks
8 years, 9 months
Setting Authentication & Access for ldap backend
by Chris Chipman
I have three servers running openldap 2.4.
On superior server I have all account information. ldap://a.example.com
On subordinate server I have an address book. ldap://b.example.com On
third server I use an ldap backend to tie the two together.
ldap://c.example.com
Using 3rd server (ldap://c.example.com) to search and modify, I can
authenticate on 1st server (a.example.com). But because no user account
information is stored on 2nd server (b.example.com) I can't
authenticate, or modify any entries there.
My question is, how do I set up the ability to change entries in the
subordinate database, if no entries can be bound to?
Server One:
olcSuffix: dc=example,dc=com
olcDatabase: {1}hdb
olcDBDirectory: /var/lib/ldap
With an entry like so:
dn: ou=address,dc=example,dc=com
objectClass: extensibleobject
objectClass: referral
ou: address
ref: ldap://b.example.com
Server 2:
olcReferral: ldap://a.example.com
olcSuffix: ou=address,dc=example,dc=com
olcDatabase: {1}hdb
olcDBDirectory: /var/lib/ldap
With an entry:
dn: cn=Bob,ou=address,dc=example,dc=com
objectClass: inetorgperson
cn: Bob
gn: Bob
sn: Smith
Server 3:
olcSuffix: dc=example,dc=com
olcDatabase: {1}ldap
olcDBUri: ldap://a.example.com
olcDBRebindAsUser: TRUE
olcDBChaseReferrals: TRUE
8 years, 9 months
Please help: Any way to query host membership in nested ldap groups?
by Gelen James
Hi all,
I have a openldap server setup with netsted netgruops,. Say the netgroups are:
ngA: (host1, -, - ), (host2, -, - )
ngB: ngA, (host3, - - )
ngc: ngB, (host4, -, -)
Is there a way to find host1's membership? so that it can return: ngA, ngB, ngC?
Thanks a lot.
--Gelen
8 years, 9 months
Unable to authenticate via pam_ldap
by Meghanand Acharekar
I've LDAP production server running over last 1 years without any issues,
I'm suddently getting password fail error while authenticating via
pam_ldap.so its show following error message, I'm able to authenticate
using ldap client utilities like ldapsearch, also via some java application,
On client side I got following error message in /var/log/secure
Failed password for [username] from xx.xx.xx.xx port 38473 ssh2
fatal: Access denied for user [username] by PAM account configuration
On LDAP server logs.
=> access_allowed: read access denied by auth(=xd)
send_search_entry: conn 1711 access to attribute userPassword, value
#0 not allowed
ACL configuration on LDAP server
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
access to attrs=shadowLastChange
by self write
by * read
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
pam_ldap (/etc/pam.d/system-auth) configuration - client side
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_unix.so nullok use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 debug
minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
The strange thing is I haven't made any changes on server or client side
since a long time.
Regards,
Meghanand N. Acharekar
" A proud Linux User "
Reg Linux User #397975
------------------------------------------
The gates in my computer are AND, OR and NOT; they are not Bill..
8 years, 9 months
OpenLDAP slave-master synchronization problem
by Tian Zhiying
Hello,
I have two openldap servers, and have configured the master-slave synchronization, but have a problem:
When an entry in master server is changed it is automatically changed in the slave server.
But, when an entry in slave server is changed it is not automatically changed in the master server.
In the slave server slapd.conf config file, I've set up “updateref ldap://192.168.100.11:389“ , the 192.168.100.11 is my master server.
The following is my configuration.
Master Configuration:
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to *
by * write
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=root,dc=domain,dc=com"
overlay ppolicy
rootpw {SSHA}DyNIn6rweGRnQP0ntGaZxynMllSA3/w4
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
replogfile /var/lib/ldap/openldap-master-replog
loglevel 4095
replica host=192.168.70.15:389
binddn="cn=sa,dc=domain,dc=com"
bindmethod=simple credentials=miao3p
Slave Configuration:
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to *
by * write
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=root,dc=domain,dc=com"
overlay ppolicy
rootpw {SSHA}sgBwprgmRciOEGTLjE5K9J22msm+U9NW
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
updatedn "cn=sa,dc=domain,dc=com"
updateref ldap://192.168.100.11:389
Any ideas? Thank you very much.
Tian Zhiying
8 years, 9 months
