openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

Fwd: [GENERAL] Using LDAP for PostgreSQL permissions/authentication
by Stephan Fabel 17 Sep '13

17 Sep '13

Found on the Postgres mailing list... seems like some folks like to do user provisioning with config management tools rather than LDAP. I don't agree with the guy, but he does point out one issue that I find interesting, which is the absense of a "history" of sorts. Are you guys thinking of some sort of "snapshotting" / COW feature? Would something like that even make sense? -Stephan ---------- Forwarded message ---------- From: Stephen Frost Date: Fri, Sep 13, 2013 at 10:29 AM Subject: Re: [GENERAL] Using LDAP for PostgreSQL permissions/authentication Cc: pgsql-general(a)postgresql.org * Bill Moran wrote: > As documented, LDAP solves a few of the problems we have -- since everyone > will be in LDAP, we can use LDAP's password complexity rules and password > expiration to handle those security requirements, and (of course) when > someone changes their password, they don't have to remember to change it > on every server ... these are big wins. Better is to use Kerberos, imv. It's what AD does. > But it doesn't help with the headache of creating the accounts on all the > servers, or dropping them as part of employee termination procedures, or > doing security audits, or changing permissions on multiple servers when > an employee gets a promotion, etc. Nope; I'd use puppet or chef or something along those lines to deal with this aspect, much as I'd do with Unix accounts. Using nsswitch and tying every user name look up to LDAP has certain.. drawbacks. > Thus, when I go to log in as wmoran, LDAP checks my password, then informs > PostgreSQL to allow me in with specified roles, and I can do operations > granted to those roles. That's a little over-simplistic, isn't it? What about objects which are created by the 'wmoran' account? > Obviously, that's not how it works now ... my question is why not? Is it just > a matter of nobody's gotten to it yet, or are there issues that make such > an implementation difficult/troublesome/impossible? If it's possible, does > anyone have any concept of how hard it would be to implement? My gut feeling on this is 'pretty darn hard' and 'not sure there are many who really want it'. That last particularly because tools like puppet and chef exist and solve this problem in a better way, imv anyway, than LDAP. Back in the day, I was a big proponent of LDAPv3 and all of the nice things it did, but the complexities involved in "what happens when the network goes away" grew tiring and managing accounts through a config management system which also tracks history of changes, both to the master repo and to the individual systems, wins hands down. Thanks, Stephen ----------------------------------------

3 2

RE: unsubscribe
by Quanah Gibson-Mount 17 Sep '13

17 Sep '13

--On Tuesday, September 17, 2013 4:04 PM +0000 Sebastian Bianchi <Sebastian.Bianchi(a)zaisgroup.com> wrote: > How can I unsubscribe from this list? It is going to > Ryan.Palamara(a)zaisgroup.com and he is no longer with the company. This first thing you should never do is hijack a thread. You can read over <http://www.openldap.org/lists/> for information about the lists. Which, for example, can take you to <http://www.openldap.org/lists/mm/listinfo/openldap-technical> and then you can get the information on how to contact the moderator if you can't force unsubscribe your old employee. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

openldap mods check attributetype undefined
by Chandrashekar Kola 16 Sep '13

16 Sep '13

Hello All, We have a openldap 2 nodes running on mirrormode set up. We recently added a new attributetype, after that we are seeing this message on slave node. And i can see the Attributype from ApacheDirectory studio on Masternode but not on slave node. syncrepl_message_to_entry: rid=001 mods check (userid: attribute type undefined) Both the nodes have the same schema file and both are running on openldap 2.4 version. Does anybody get into this issue. *Thanks, * *Chandu *

2 1

Re: ldap replication getting lost
by Ashok Kumar Shah 16 Sep '13

16 Sep '13

Thanks. yup i will upgrade to the latest stable. ~Ashok On Mon, Sep 16, 2013 at 9:48 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Saturday, September 14, 2013 2:00 PM +0530 Ashok Kumar Shah < > ashok.shah(a)flipkart.com> wrote: > > Openldap Version: 2.4.23 >> > > Your issue was known fixed in a later release. I would suggest, as I > repeatedly do, that you use a current build. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

ldap replication getting lost
by val john 16 Sep '13

16 Sep '13

Hi guys im running simple ldap replication setup , ldap slave node sites behind the firewall and port 389 is open to all and my ldap replication works fine for most of the time , (slave node getting updated real time ) But some times slave just stop getting the update from the master server , But when is restart slave ldap server replication start again , .... as fallows Aug 21 11:59:24 ldapmirror slapd[18107]: do_syncrep2: rid=004 cookie=rid=004,sid=002,csn=20130821160107.813479Z#000000#002#000000 Aug 21 11:59:24 ldapmirror slapd[18107]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Aug 21 11:59:24 ldapmirror slapd[18107]: <= bdb_equality_candidates: (entryUUID) not indexed Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_search (0) Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 uid=user1,ou=staff,dc=example,dc=com Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing 0xcc0a40 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_modify uid=user1,ou=staff,dc=example,dc=com (0) Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing 0x1a55a70 20130821160107.813479Z#000000#002#000000 Ldap slave configuration .. syncrepl rid=004 provider=ldap://ldap.example.com bindmethod=simple binddn="cn=admin,ou=staff,dc=example,dc=com" credentials="passwd" searchbase="dc=example,dc=com" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on Is there any reason for such behavior , Please advice Thank You John

5 5

Attributes rewriting
by Vitaliy Aleksandrov 16 Sep '13

16 Sep '13

Hello, List I've been trying to find a working example to understand how slapo-rwm, slapd-meta and slapd-relay work for the last 3 days with no success. I just need to substitute one attribute by another for a single LDAP user. Lets say I have a posixAccount Object with cn = user1 as shown below. dn: uid=user1,ou=People,dc=localnet uid: user1 cn: user1 objectClass: account objectClass: posixAccount objectClass: shadowAccount ..... Also I have two LDAP users (organizationalRole): admin. simpleuser. I want to configure openldap in a way which allows "simpleuser" to make queries using "(description=user1)" instead of ("cn=user1") to find previously mentioned user object. The only thing I was able to configure is the suffixmassage, but can't find a way how to add rwm-map to my configuration. Could somebody point me to the working example.

1 1

slapd.conf deprecate as of 2.5?
by Daniel Jung 15 Sep '13

15 Sep '13

Hi, Quick search through the list shows that slapd.conf will not be supported as of 2.5? Is this still the case? When can we expect 2.5 minor release? Thanks for your answer in advance.

1 0

All Data Deleted on Slapd Restart
by Justin Brown 13 Sep '13

13 Sep '13

Hello, I'm new to using OpenLDAP, and I'm having some trouble finding my way on 2.4 with cn=config. After a lot of trial and error, I finally got the initial ldif files setup to initialize the directory. I'll post the configurations below. One of the peculiarities of my Fedora system is that it does not read my slapd.conf, which contains the initial admin password (for cn=admin,cn=config). Therefore, I manually launch slapd -f /etc/openldap/slapd.conf... and run my ldifs. That works great, and I setup regular user accounts. So far so good. Now that I'm done with initialization, I want to stop slapd and start it up with my service manager (systemd). I issue a `killall slapd` (no SIGKILL) or ^C if running with "-d 0" to stop the console session. There are no error messages. Upon restart (either systemd or on the same console), the whole directory is wiped out and reverted back to default. Again, no errors in the system logs, and the only messages are slapd starting and any Apache Directory Studio or ldapsearch queries that I perform. I have tripled checked all of the file permissions (and SELinux contexts) in /etc/openldap and /var/lib/ldap and cannot find any errors. Could someone help me figure out why my data is purged on restart? Here are the ldif files and commands that I run. Slapd from console slapd -f /etc/openldap/slapd.conf -u ldap -d 0 1) Load the schemas for i in $(ls /etc/openldap/schema/*.ldif); do ldapadd -x -f $i -D "cn=admin,cn=config" -w secret; done 2) Load the "backend" config ldapadd -f /tmp/backend.ldif -D "cn=admin,cn=config" -x -w secret dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=my-application,dc=app olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=my-application,dc=app olcRootPW: secret olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=my-application,dc=app" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by users read olcAccess: to dn.base="" by users read olcAccess: to * by users write by users read I know that those olcAccess rules aren't great, and I plan to fix them once I get past this problem. 3) "Frontend" Config ldapadd -f /tmp/frontend.ldif -D "cn=admin,dc=addressbook,dc=app" -x -w secret dn: dc=my-application,dc=app objectClass: top objectClass: dcObject objectclass: domain dc: addressbook dn: cn=admin,dc=my-application,dc=app objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret dn: dc=directory,dc=my-application,dc=app objectClass: top objectClass: domain dc: directory Thanks, Justin

1 0

Re: OLC (online config error)
by pramod kulkarni 11 Sep '13

11 Sep '13

Thanks for the reply I added the core.schema include ./schema/core.schema include ./schema/cosine.schema include ./schema/nis.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/dyngroup.schema database config rootdn cn=admin,cn=config rootPw secret but I am still getting the same error of invalid argument as shown below 52313ad6 ldif_write_entry: could not put entry file for "cn=config" in place: Invalid argument 52313ad6 config_build_entry: build "cn=config" failed: "(null)" 52313ad6 backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) is their anything I am missing here in slaptest function slapd -T test -f slapd.conf -F slapd.d waiting for your inputs On Wed, Sep 11, 2013 at 9:35 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, September 11, 2013 2:48 PM +0530 pramod kulkarni < > pammu.kulkarni(a)gmail.com> wrote: > > >> I am trying to establish online config for openLDAP on windows but I am >> getting this below error how to make online config >> >> >> >> 5230324d ldif_write_entry: could not put entry file for "cn=config" in >> place: Invalid argument >> 5230324d config_build_entry: build "cn=config" failed: "(null)" >> 5230324d backend_startup_one (type=config, suffix="cn=config"): >> bi_db_open failed! (-1) >> >> >> my slapd.conf file >> >> >> >> database config >> rootdn "cn=admin,cn=config" >> rootPw config >> > > IIRC, you must at least include the core schema file > > --Quanah > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 2

LMDB compiling procedure
by Mónico Briseño 11 Sep '13

11 Sep '13

Hi, there. I just downloaded LMDB tarfile. I verified its folder content but I couldn't find any information of how can I use this files with Ldap. Any idea how to do it. TIA -- M.S. José M. Briseño Cortés Universidad de Guadalajara Instructional Technologist Univ. Houston Moodle Teacher Certificate NTCM, IACEP, iNACOL, ACM member

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013