openldap-technical March 2013

openldap-technical@openldap.org

84 participants
80 discussions

Double escaping \ in regex in slapo-constraint directives in slapd.conf
by Tim Watts 05 Mar '13

05 Mar '13

Could someone make sure I'm not going mad before I call this a bug? In slapd.conf: constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\.[a-z0-9\-]+)*$ stick this into ldapmodify and it is allowed: replace: mail mail: mrwibble-bble@example#com This looks like the last \. is being parsed to . before the regex engine sees it. With this regex: constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\-]+)*$ the constraint acts on mrwibble-bble@example#com but allows mrwibble-bble(a)example.com which is correct. Is this a bug in the code, a bug in man -S5 slapo-constraint (which does not mention double escaping is necessary) or am I insane? Makes me wonder what is happening with the \- Hmm Both: constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\-]+)*$ and constraint_attribute mail regex ^[^@]+@[a-z0-9\-]+(\\.[a-z0-9\\-]+)*$ accept mrwibble-bble(a)example.c-o-m I'll investigate further is someone would kindly rule out anything I may have overlooked. Cheers, Tim -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

2 2

Re: Mirror mode and cn=config replication
by John Baker 04 Mar '13

04 Mar '13

Thanks for the reply, gnutls is a pain but we've been able to make it work and the boss hates it when we use source so I'm kind of stuck with it as it is unless I can make a better case than ssl. So mirror mode is really defined by the load balancer in front? I guess this is a bit confusing in the documentation because multi-master has a more complex configuration. As of right now then we are really using multi-master with two servers and the very simple example configuration that's laid out under mirror mode at http://www.openldap.org/doc/admin24/replication.html. But the plan is to upgrade and put load balancing in front. And then we want to use a couple of slaves with limited directories in front of those for constant lookups from services like mail. We are trying to get he benefits of load balancing for heavy writing without having one point of failure for critical services that need a lot of lookups but no writes. I'm testing a setup with the load balancer right now. Can schema changes in cn=config be sent to the the load balancer and slaves as well? On Mon, Mar 4, 2013 at 4:00 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Monday, March 04, 2013 3:39 PM -0500 John Baker <johnnyb(a)marlboro.edu> > wrote: > > Hi, >> >> >> We have been using mirror mode for some time as a simple way for us to >> have an up to date copy in case of a crash and load balancing. We have >> been using the older slapd.conf configuration in Ubntu Hardy and are now >> moving up to 2.4.28 in Ubuntu Precise. >> > > a) Don't use builds provided by Debian/Ubuntu. Build something sane > linked to OpenSSL. > b) Use a current release (2.4.34) > c) There is no difference in configuration between "Mirror Mode" and MMR. > They are the exact same thing configuration wise. The *only* difference is > that with "mirror mode" you use some sort of balancer so that only a single > server is available for writes at a given time. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066

2 2

Mirror mode and cn=config replication
by John Baker 04 Mar '13

04 Mar '13

Hi, We have been using mirror mode for some time as a simple way for us to have an up to date copy in case of a crash and load balancing. We have been using the older slapd.conf configuration in Ubntu Hardy and are now moving up to 2.4.28 in Ubuntu Precise. The documentation for N-way multi master mentions that cn=config can be replicated. Can this be done in mirror mode as well? The part I'm particularly trying to figure out is how schema and password policy changes can be sent to both mirrors as well as the proxy and slaves so that we don't have to add ldifs manually an each server. -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066

2 1

Combining AD and Local DB into single 'virtual' tree
by Mailing Lists 04 Mar '13

04 Mar '13

Hello, I posted a question along these lines a few months ago and received replies, but never understood enough to implement them. I've done more research in the meantime and hopefully have learned enough to ask this question intelligently. I'm working on a project proposal for integrating Linux machines into a Windows environment. The client is very concerned about their AD environment and wants to do as little modification to it as possible (preferably none). What I'd like to propose is that we set up an OpenLDAP server that chains to AD. If possible, I would like to use the OpenLDAP client's credentials to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD connection. I believe this can be accomplished with the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this correct? Now here's where I think it gets tricky. We also need to be able to store information for the Linux boxes in LDAP (samba winbind mappings for example), but keep it separate from AD. I know that part of this would require a dedicated LDAP database backend (slapd-bdb) to be configured, but what confuses me is how to combine these two separate entities (the AD proxy and this bdb database) into one 'virtual' backend that clients can query against. Is this where slapd-translucent would come into play? Finally, if I want to create OUs in the Linux LDAP database that contain user DNs from AD, is that possible? Any guidance, example solutions, or suggested reading is greatly appreciated. -Dave

3 2

Openldap doesn't force password change and other related problems
by Francesco Belli 04 Mar '13

04 Mar '13

Hello All, I probably have something misconfigured on my openldap server, but it seems that this is not so easy to debug (for me). I use openldap 2.4.23 with ppolicy and accesslog overlays. I have the following behaviours: - when pwdMustChange and pwdReset are set to true, after login, user is not prompted to change the password, however if I run: [def_auditor@localhost fbelli]$ ldapwhoami -x -e ppolicy -D uid=def_auditor,ou=people,dc=pippo,dc=com -w ****** -ZZ -H ldap://mkernel ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds) dn:uid=def_auditor,ou=people,dc=pippo,dc=com - When there are less of pwdExpireWarning seconds and user authenticates (bash shell or ldapsearch), it doesn't get any warning. - When password is expired and user uses one of his pwdGraceAuthNLimit, he doesn't get any warning (but it will get lockedout after). It looks like that for some reason the openldap server doesn't send warnings back to the user. However if user tryes to change the password to one that doesn't match the policy, it gets the correct warnings. Following there is my standard password policy: dn: ou=Policies,dc=aivp,dc=vtp ou: Policies description: Directory policies. objectClass: organizationalUnit dn: cn=Standard,ou=Policies,dc=aivp,dc=vtp cn: Standard description: Standard password policy. pwdAttribute: 2.5.4.35 pwdMinAge: 172800 pwdMaxAge: 5184000 pwdCheckQuality: 1 pwdCheckModule: check_password.so pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 1 pwdInHistory: 20 pwdLockout: TRUE pwdLockoutDuration: 900 pwdMaxFailure: 3 pwdFailureCountInterval: 1200 pwdMustChange: TRUE objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker Overlay configuration: dn: olcOverlay={2}ppolicy objectClass: olcPPolicyConfig objectClass: olcOverlayConfig olcOverlay: ppolicy olcPPolicyDefault: cn=Standard,ou=Policies,dc=aivp,dc=vtp olcPPolicyUseLockout: TRUE olcPPolicyHashCleartext: TRUE And an example of an user when first inserted: dn: uid=def_auditor,ou=people,dc=aivp,dc=vtp cn: def_auditor gidnumber: 601 homedirectory: /home/def_auditor loginshell: /bin/bash objectclass: account objectclass: posixAccount objectclass: top uid: def_auditor uidnumber: 634 userPassword:: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= pwdReset: TRUE Thanks in advance for any advice Best Regards, Francesco Belli

1 0

N-WAY replication cn=config and virtual IP
by Lanfeust troy 04 Mar '13

04 Mar '13

Hi all, today i have a little problem with openldap configuration. I have 2 server configured as N-WAY replication on database and cn=config. into cn=config we have olcServerId: 1 ldap://ldap-int1.domaine.fr olcServerId: 2 ldap://ldap-int2.domaine.fr replication is working. However to provide service to client we want to use a Virtual IP adresse. ( ldap-int-vip.domaine.fr ) On two server i have installed keepalived demon to manage Virtual IP. On nominal time the VIP is owned by ldap-int1 but she can going on ldap-int2 My problem is the slapd binary which don't want to start on secondary server I want to start slapd demon on all interface but if we use ldap://* in command line to start slapd he say: read_config: no serverID / URL match found. Check slapd -h arguments. How to make this configuration ? thanks

1 0

Setting Authentication & Access for ldap backend
by Chris Chipman 03 Mar '13

03 Mar '13

I have three servers running openldap 2.4. On superior server I have all account information. ldap://a.example.com On subordinate server I have an address book. ldap://b.example.com On third server I use an ldap backend to tie the two together. ldap://c.example.com Using 3rd server (ldap://c.example.com) to search and modify, I can authenticate on 1st server (a.example.com). But because no user account information is stored on 2nd server (b.example.com) I can't authenticate, or modify any entries there. My question is, how do I set up the ability to change entries in the subordinate database, if no entries can be bound to? Server One: olcSuffix: dc=example,dc=com olcDatabase: {1}hdb olcDBDirectory: /var/lib/ldap With an entry like so: dn: ou=address,dc=example,dc=com objectClass: extensibleobject objectClass: referral ou: address ref: ldap://b.example.com Server 2: olcReferral: ldap://a.example.com olcSuffix: ou=address,dc=example,dc=com olcDatabase: {1}hdb olcDBDirectory: /var/lib/ldap With an entry: dn: cn=Bob,ou=address,dc=example,dc=com objectClass: inetorgperson cn: Bob gn: Bob sn: Smith Server 3: olcSuffix: dc=example,dc=com olcDatabase: {1}ldap olcDBUri: ldap://a.example.com olcDBRebindAsUser: TRUE olcDBChaseReferrals: TRUE

1 0

Please help: Any way to query host membership in nested ldap groups?
by Gelen James 02 Mar '13

02 Mar '13

Hi all, I have a openldap server setup with netsted netgruops,. Say the netgroups are: ngA: (host1, -, - ), (host2, -, - ) ngB: ngA, (host3, - - ) ngc: ngB, (host4, -, -) Is there a way to find host1's membership? so that it can return: ngA, ngB, ngC? Thanks a lot. --Gelen

1 0

Unable to authenticate via pam_ldap
by Meghanand Acharekar 01 Mar '13

01 Mar '13

I've LDAP production server running over last 1 years without any issues, I'm suddently getting password fail error while authenticating via pam_ldap.so its show following error message, I'm able to authenticate using ldap client utilities like ldapsearch, also via some java application, On client side I got following error message in /var/log/secure Failed password for [username] from xx.xx.xx.xx port 38473 ssh2 fatal: Access denied for user [username] by PAM account configuration On LDAP server logs. => access_allowed: read access denied by auth(=xd) send_search_entry: conn 1711 access to attribute userPassword, value #0 not allowed ACL configuration on LDAP server access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none access to attrs=shadowLastChange by self write by * read access to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read pam_ldap (/etc/pam.d/system-auth) configuration - client side #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_ldap.so try_first_pass auth sufficient pam_unix.so nullok use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 debug minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so The strange thing is I haven't made any changes on server or client side since a long time. Regards, Meghanand N. Acharekar " A proud Linux User " Reg Linux User #397975 ------------------------------------------ The gates in my computer are AND, OR and NOT; they are not Bill..

2 1

OpenLDAP slave-master synchronization problem
by Tian Zhiying 01 Mar '13

01 Mar '13

Hello， I have two openldap servers, and have configured the master-slave synchronization, but have a problem: When an entry in master server is changed it is automatically changed in the slave server. But, when an entry in slave server is changed it is not automatically changed in the master server. In the slave server slapd.conf config file, I've set up “updateref ldap://192.168.100.11:389“ , the 192.168.100.11 is my master server. The following is my configuration. Master Configuration: allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args access to * by * write database bdb suffix "dc=domain,dc=com" rootdn "cn=root,dc=domain,dc=com" overlay ppolicy rootpw {SSHA}DyNIn6rweGRnQP0ntGaZxynMllSA3/w4 directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub replogfile /var/lib/ldap/openldap-master-replog loglevel 4095 replica host=192.168.70.15:389 binddn="cn=sa,dc=domain,dc=com" bindmethod=simple credentials=miao3p Slave Configuration: allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args access to * by * write database bdb suffix "dc=domain,dc=com" rootdn "cn=root,dc=domain,dc=com" overlay ppolicy rootpw {SSHA}sgBwprgmRciOEGTLjE5K9J22msm+U9NW directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub updatedn "cn=sa,dc=domain,dc=com" updateref ldap://192.168.100.11:389 Any ideas? Thank you very much. Tian Zhiying

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2013