OpenLDAP Proxy for Active Directory Authentication
by Jason Brandt
We run in a mixed environment, with both Active Directory and LDAP
directory servers. Some users exist in both LDAP and AD, while some are
just in AD. As such, we always have obstacles with password sync between
directories.
Is it possible, to set up an OpenLDAP proxy (if that's the correct term),
which would authenticate via Active Directory if the user exists there (or
if a flag is present in the LDAP entry, etc), otherwise via LDAP if the
user is not an AD user, thereby eliminating the need to store the password
in both directories? Directory information would otherwise be pulled from
the LDAP server, not from Active Directory.
7 years, 10 months
Design of assertion control filter
by Dieter Klünter
Hi,
following search shows correct results:
ldapsearch -Y EXTERNAL -H ldapi:/// \
-b "cn=billy kid,ou=tombstone,o=avci,c=de" -s base \
"(l:caseExactmatch:=Tombstone)" sn l
# LDAPv3
# base <cn=billy kid,ou=tombstone,o=avci,c=de> with scope baseObject
# filter: (l:caseExactmatch:=Tombstone)
# requesting: sn l
#
# Billy Kid, tombstone, avci, de
dn: cn=Billy Kid,ou=tombstone,o=avci,c=de
sn: Kid
l: Tombstone
# search result
# numResponses: 2
# numEntries: 1
changing the filter to (l:caseExactmatch:=tombstone)
shows the expected results
# search result
search: 2
result: 0 Success
Now a search with assertion control allways shows error 122
ldapsearch -YEXTERNAL -e assert='l=Tombstone'-H ldapi:///
-b "cn=Billy Kid,ou=tombstone,o=avci,c=de" -s base sn l
LDAPv3
# base <cn=Billy Kid,ou=tombstone,o=avci,c=de> with scope baseObject
# filter: (objectclass=*)
# requesting: ldapi:/// sn l
#
# search result
search: 2
result: 122 Assertion Failed
The same applies to an extended assertion filter
ldapsearch -YEXTERNAL -e assert='l:caseExactmatch:=Tombstone'
-H ldapi:/// -b "cn=Billy Kid,ou=tombstone,o=avci,c=de" -s base sn l
# search result
search: 2
result: 122 Assertion Failed
What is wrong with this assertion filter?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
7 years, 10 months
migrating from SUN one C SDK to openldap C sdk (Linux).
by Far a
As part of Solaris to Linux migration, I am planning to
migrate my application that uses SUN one C SDK to openldap C sdk (Linux). I
have various questions that I need to address at the beginning. I am hoping I
can get some help over here. The questions are as follows
* Can client use openldap C sdk (Linux) while the server is still on Sun one LDAP
server.
* Is there a list of dos and don'ts and list of possible issues for migrating from SUN
one LDAP TO openldap on Linux
.
Regards
farhad
7 years, 10 months
Unable to bind LDAP server via SSL
by Ashwin Kumar
Hello all, I have written a sample code to connect to LDAP server via SSL
running on port 10389(ldap) & 10636(ldaps). But the sample application
fails to set the options for the SSL connection.
I do not want to verify the certificate correctness at this moment. Can
someone help fix this sample code??
#include <stdio.h>
#define LDAP_DEPRECATED 1
#include <ldap.h>
#define BIND_DN "dc=example,dc=com"
#define BIND_PW "secret"
int main() {
LDAP *ld;
int rc;
int reqcert = LDAP_OPT_X_TLS_NEVER;
int version = LDAP_VERSION3;
int ret(0);
if (ldap_initialize (&ld, "ldap://192.168.1.51:10389")) {
perror("ldap_init"); /* no error here */
return(1);
}
rc = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if(rc != LDAP_OPT_SUCCESS){
printf("Setting LDAP_OPT_PROTOCOL_VERSION failed:
%s\n",ldap_err2string(rc));
}
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
if(rc != LDAP_OPT_SUCCESS){
printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed:
%s\n",ldap_err2string(rc));
}
rc = ldap_start_tls_s(ld, NULL, NULL);
if (rc != LDAP_SUCCESS) {
printf("ldap_start_tls failed: %s\n",ldap_err2string(rc));
}
rc = ldap_bind_s(ld, BIND_DN, BIND_PW, LDAP_AUTH_SIMPLE);
if( rc != LDAP_SUCCESS )
{
fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) );
return( 1 );
}
ldap_unbind(ld);
}
The program always fails with:
*Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server*
*ldap_start_tls failed: Not Supported*
The server does support ldaps and ldap+tls. Can some one please help??
--
Ashwin kumar
(http://ashwinkumar.me)
7 years, 10 months
Fwd: [lmdb] .NET-wrapper for LightningDB
by Howard Chu
For any C-Sharp fans out there.
---------- Forwarded message ----------
From: *Илья Лукьянов* <ilya.lukyanov(a)gmail.com <mailto:ilya.lukyanov@gmail.com>>
Date: 2013/5/26
Subject: .NET-wrapper for LightningDB
To: openldap-technical(a)openldap.org <mailto:openldap-technical@openldap.org>
Hello,
I'm glad to anounce a first version of .NET-wrapper for LightningDB.
I've published it here - https://github.com/ilyalukyanov/Lightning.NET
I've developed it to use in couple of projects. Hope it will be useful for
someone else.
Best regards, Ilya Lukyanov.
7 years, 10 months
Samba + LDAP: Issue adding machine to domain.
by Luis H. Forchesatto
Greetings.
I've run into a trouble when trying to add a new Win7 machine on a domain.
The domain is controlled by a server running Samba + LDAP (samba compiled
with ldap support), on a Debian 5 OS at the local network.
I've added the machine name to the LDAP three through phpldapadmin using
the option "Samba3 Machine" on the related submenu and via terminal on
samba. Then I renamed the new machine to match the computer name and tried
to add it to the domain. When prompted for credentials to add the new
machine I've informed the admin login and password and hit <enter>.
The windows then returned the following error (something like): "The
junction operation was not well succeded. Maybe another existent machine
account <machine_account_name> was created previously using anothet set of
credentials. User another computer name or contact the admin to remove any
obsolete conflicting account. Error: Access denied."
Any ideas for the troubleshoot will be welcome.
--
Att.*
***
Luis H. Forchesatto
7 years, 10 months
Open LDAP ACL and Group
by Dysan 67
Hello,
I have a problem with acl and group.
I configured a proxy slapd and add acl (see slapd.conf below)
When I run a ldapsearch command with user 'Test User' the attributes are
displayed. It's Ok
But when I run the same ldapsearch command with user 'Synchro1 User' the
message 'Insufficient access (50)' are displayed. It's not ok
The user 'Synchro1 User' is member of
CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch
Are you an idea ?
Thank you for you help
Dysan
My environment
---------------------
ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43
dc1-test Windows Server 2008 R2 (Domain Controler)
Ldapsearch command
-------------------
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Test
User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b
"dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
dn: ........
...
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Synchro1
User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b
"dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
Insufficient access (50)
slapd.conf
----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:-SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacerts.crt
TLSCertificateFile /etc/openldap/cacerts/ldapproxy.example.ch.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldapproxy.example.ch.key
loglevel -1
disallow bind_anon
# AD
database ldap
suffix "dc=activedir,dc=example,dc=ch"
uri "ldaps://dc1-test.example.ch/"
readonly on
rebind-as-user
lastmod off
access to attrs=displayname,sn,givenname,mail,telephoneNumber
by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch"
read
by
group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch"
read
by * none
# The users must see the entry itself
access to attrs=entry
by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch"
read
by
group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch"
read
by * none
# Other attributes, others users have no access
access to *
by * none
#---------------------------------------------------------------------------------------------------------------
slapd.conf end
7 years, 10 months
Question Sun Directory Server upgrades from version 6.3.1.1.1 to version 11.1.1.5.0
by Far a
I am new with LDAP. I
am not sure if this is proper place to post this. I could use all the help I can get.
Our LDAP server side
team are upgrading soon.
Sun Directory Server upgrades from version
6.3.1.1.1 to version 11.1.1.5.0
My application is just a client using Sun LDAP C SDK. I would
like to know if there is any potential issue for me to watch out for.
Regards
Farhad
7 years, 10 months
ldap_get_values(..) returns decoding error only during stress test.
by Mangesh Sawant
Stress test parameters are as follows.
TPS : 1000
Users in LDAP DB : 50K
LDAP operation performed during stress : ldapsearch.
Problem is, user is fetched from LDAP server(verified this with tcpdump),
but ldap_get_values returns 'DECODING ERROR'.
This happens randomly during stress for 8 or 9 users out of 50K, during
stress.
If ldap search is performed for a single user, there is no issue.
Is this a known issue in OpenLDAP client library ? Is any fix available for
this issue.
--
Thanks And Regards ,
Mangesh Sawant .
7 years, 10 months