Fwd: [GENERAL] Using LDAP for PostgreSQL permissions/authentication
by Stephan Fabel
Found on the Postgres mailing list... seems like some folks like to do user
provisioning with config management tools rather than LDAP.
I don't agree with the guy, but he does point out one issue that I find
interesting, which is the absense of a "history" of sorts. Are you guys
thinking of some sort of "snapshotting" / COW feature?
Would something like that even make sense?
-Stephan
---------- Forwarded message ----------
From: Stephen Frost
Date: Fri, Sep 13, 2013 at 10:29 AM
Subject: Re: [GENERAL] Using LDAP for PostgreSQL permissions/authentication
Cc: pgsql-general(a)postgresql.org
* Bill Moran wrote:
> As documented, LDAP solves a few of the problems we have -- since everyone
> will be in LDAP, we can use LDAP's password complexity rules and password
> expiration to handle those security requirements, and (of course) when
> someone changes their password, they don't have to remember to change it
> on every server ... these are big wins.
Better is to use Kerberos, imv. It's what AD does.
> But it doesn't help with the headache of creating the accounts on all the
> servers, or dropping them as part of employee termination procedures, or
> doing security audits, or changing permissions on multiple servers when
> an employee gets a promotion, etc.
Nope; I'd use puppet or chef or something along those lines to deal with
this aspect, much as I'd do with Unix accounts. Using nsswitch and
tying every user name look up to LDAP has certain.. drawbacks.
> Thus, when I go to log in as wmoran, LDAP checks my password, then informs
> PostgreSQL to allow me in with specified roles, and I can do operations
> granted to those roles.
That's a little over-simplistic, isn't it? What about objects which are
created by the 'wmoran' account?
> Obviously, that's not how it works now ... my question is why not? Is it
just
> a matter of nobody's gotten to it yet, or are there issues that make such
> an implementation difficult/troublesome/impossible? If it's possible,
does
> anyone have any concept of how hard it would be to implement?
My gut feeling on this is 'pretty darn hard' and 'not sure there are
many who really want it'. That last particularly because tools like
puppet and chef exist and solve this problem in a better way, imv
anyway, than LDAP. Back in the day, I was a big proponent of LDAPv3 and
all of the nice things it did, but the complexities involved in "what
happens when the network goes away" grew tiring and managing accounts
through a config management system which also tracks history of changes,
both to the master repo and to the individual systems, wins hands down.
Thanks,
Stephen
----------------------------------------
10 years
RE: unsubscribe
by Quanah Gibson-Mount
--On Tuesday, September 17, 2013 4:04 PM +0000 Sebastian Bianchi
<Sebastian.Bianchi(a)zaisgroup.com> wrote:
> How can I unsubscribe from this list? It is going to
> Ryan.Palamara(a)zaisgroup.com and he is no longer with the company.
This first thing you should never do is hijack a thread.
You can read over <http://www.openldap.org/lists/> for information about
the lists. Which, for example, can take you to
<http://www.openldap.org/lists/mm/listinfo/openldap-technical> and then you
can get the information on how to contact the moderator if you can't force
unsubscribe your old employee.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years
openldap mods check attributetype undefined
by Chandrashekar Kola
Hello All,
We have a openldap 2 nodes running on mirrormode set up. We recently added
a new attributetype, after that we are seeing this message on slave node.
And i can see the Attributype from ApacheDirectory studio on Masternode but
not on slave node.
syncrepl_message_to_entry: rid=001 mods check (userid: attribute type
undefined)
Both the nodes have the same schema file and both are running on openldap
2.4 version.
Does anybody get into this issue.
*Thanks,
*
*Chandu
*
10 years
Re: ldap replication getting lost
by Ashok Kumar Shah
Thanks. yup i will upgrade to the latest stable.
~Ashok
On Mon, Sep 16, 2013 at 9:48 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Saturday, September 14, 2013 2:00 PM +0530 Ashok Kumar Shah <
> ashok.shah(a)flipkart.com> wrote:
>
> Openldap Version: 2.4.23
>>
>
> Your issue was known fixed in a later release. I would suggest, as I
> repeatedly do, that you use a current build.
>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Lead Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years
ldap replication getting lost
by val john
Hi guys im running simple ldap replication setup ,
ldap slave node sites behind the firewall and port 389 is open to all
and my ldap replication works fine for most of the time , (slave node
getting updated real time )
But some times slave just stop getting the update from the master server ,
But when is restart slave ldap server replication start again , .... as
fallows
Aug 21 11:59:24 ldapmirror slapd[18107]: do_syncrep2: rid=004
cookie=rid=004,sid=002,csn=20130821160107.813479Z#000000#002#000000
Aug 21 11:59:24 ldapmirror slapd[18107]: syncrepl_entry: rid=004
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Aug 21 11:59:24 ldapmirror slapd[18107]: <= bdb_equality_candidates:
(entryUUID) not indexed
Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_search
(0)
Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004
uid=user1,ou=staff,dc=example,dc=com
Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060
20130821160107.813479Z#000000#002#000000
Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing
0xcc0a40 20130821160107.813479Z#000000#002#000000
Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_modify
uid=user1,ou=staff,dc=example,dc=com (0)
Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060
20130821160107.813479Z#000000#002#000000
Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing
0x1a55a70 20130821160107.813479Z#000000#002#000000
Ldap slave configuration ..
syncrepl rid=004
provider=ldap://ldap.example.com
bindmethod=simple
binddn="cn=admin,ou=staff,dc=example,dc=com"
credentials="passwd"
searchbase="dc=example,dc=com"
schemachecking=off
type=refreshAndPersist
retry="60 +"
mirrormode on
Is there any reason for such behavior , Please advice
Thank You
John
10 years
Attributes rewriting
by Vitaliy Aleksandrov
Hello, List
I've been trying to find a working example to understand how slapo-rwm,
slapd-meta and slapd-relay work for the last 3 days with no success.
I just need to substitute one attribute by another for a single LDAP user.
Lets say I have a posixAccount Object with cn = user1 as shown below.
dn: uid=user1,ou=People,dc=localnet
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
.....
Also I have two LDAP users (organizationalRole): admin. simpleuser.
I want to configure openldap in a way which allows "simpleuser" to make
queries using "(description=user1)" instead of ("cn=user1") to find
previously mentioned user object.
The only thing I was able to configure is the suffixmassage, but can't find
a way how to add rwm-map to my configuration.
Could somebody point me to the working example.
10 years
slapd.conf deprecate as of 2.5?
by Daniel Jung
Hi,
Quick search through the list shows that slapd.conf will not be
supported as of 2.5? Is this still the case? When can we expect 2.5
minor release?
Thanks for your answer in advance.
10 years
All Data Deleted on Slapd Restart
by Justin Brown
Hello,
I'm new to using OpenLDAP, and I'm having some trouble finding my way
on 2.4 with cn=config. After a lot of trial and error, I finally got
the initial ldif files setup to initialize the directory. I'll post
the configurations below.
One of the peculiarities of my Fedora system is that it does not read
my slapd.conf, which contains the initial admin password (for
cn=admin,cn=config). Therefore, I manually launch slapd -f
/etc/openldap/slapd.conf... and run my ldifs. That works great, and I
setup regular user accounts. So far so good. Now that I'm done with
initialization, I want to stop slapd and start it up with my service
manager (systemd). I issue a `killall slapd` (no SIGKILL) or ^C if
running with "-d 0" to stop the console session. There are no error
messages.
Upon restart (either systemd or on the same console), the whole
directory is wiped out and reverted back to default. Again, no errors
in the system logs, and the only messages are slapd starting and any
Apache Directory Studio or ldapsearch queries that I perform.
I have tripled checked all of the file permissions (and SELinux
contexts) in /etc/openldap and /var/lib/ldap and cannot find any
errors.
Could someone help me figure out why my data is purged on restart?
Here are the ldif files and commands that I run.
Slapd from console
slapd -f /etc/openldap/slapd.conf -u ldap -d 0
1) Load the schemas
for i in $(ls /etc/openldap/schema/*.ldif); do ldapadd -x -f $i -D
"cn=admin,cn=config" -w secret; done
2) Load the "backend" config
ldapadd -f /tmp/backend.ldif -D "cn=admin,cn=config" -x -w secret
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=my-application,dc=app
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=my-application,dc=app
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by
dn="cn=admin,dc=my-application,dc=app" write by anonymous auth by self
write by * none
olcAccess: to attrs=shadowLastChange by self write by users read
olcAccess: to dn.base="" by users read
olcAccess: to * by users write by users read
I know that those olcAccess rules aren't great, and I plan to fix them
once I get past this problem.
3) "Frontend" Config
ldapadd -f /tmp/frontend.ldif -D "cn=admin,dc=addressbook,dc=app" -x -w secret
dn: dc=my-application,dc=app
objectClass: top
objectClass: dcObject
objectclass: domain
dc: addressbook
dn: cn=admin,dc=my-application,dc=app
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret
dn: dc=directory,dc=my-application,dc=app
objectClass: top
objectClass: domain
dc: directory
Thanks,
Justin
10 years
Re: OLC (online config error)
by pramod kulkarni
Thanks for the reply
I added the core.schema
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/nis.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/dyngroup.schema
database config
rootdn cn=admin,cn=config
rootPw secret
but I am still getting the same error of invalid argument as shown below
52313ad6 ldif_write_entry: could not put entry file for "cn=config" in
place: Invalid argument
52313ad6 config_build_entry: build "cn=config" failed: "(null)" 52313ad6
backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed!
(-1)
slap_startup failed (test would succeed using the -u switch)
is their anything I am missing here in slaptest function
slapd -T test -f slapd.conf -F slapd.d
waiting for your inputs
On Wed, Sep 11, 2013 at 9:35 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Wednesday, September 11, 2013 2:48 PM +0530 pramod kulkarni <
> pammu.kulkarni(a)gmail.com> wrote:
>
>
>> I am trying to establish online config for openLDAP on windows but I am
>> getting this below error how to make online config
>>
>>
>>
>> 5230324d ldif_write_entry: could not put entry file for "cn=config" in
>> place: Invalid argument
>> 5230324d config_build_entry: build "cn=config" failed: "(null)"
>> 5230324d backend_startup_one (type=config, suffix="cn=config"):
>> bi_db_open failed! (-1)
>>
>>
>> my slapd.conf file
>>
>>
>>
>> database config
>> rootdn "cn=admin,cn=config"
>> rootPw config
>>
>
> IIRC, you must at least include the core schema file
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Lead Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years
LMDB compiling procedure
by Mónico Briseño
Hi, there. I just downloaded LMDB tarfile. I verified its folder content
but I couldn't find any information of how can I use this files with Ldap.
Any idea how to do it.
TIA
--
M.S. José M. Briseño Cortés
Universidad de Guadalajara
Instructional Technologist Univ. Houston
Moodle Teacher Certificate
NTCM, IACEP, iNACOL, ACM member
10 years
