pam_ldap does not working
by PRAJITH
Hi,
When users with an expired account try to log into PAM (SSH, Su, etc..)
there is no warning displayed that the account is expired. The user is also
allowed to login normally.
In the slapd logging, the following message is displayed:
Mar 18 12:46:25 sip slapd[11790]: ppolicy_bind: Entry
uid=prajith,ou=people,dc=XXX,dc=XX has an expired password: 0 grace logins
In auth log
###
Mar 18 23:43:37 chiron-desktop-linux2 login[7411]: pam_unix(login:auth):
authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser=
rhost= user=prajith
Mar 18 23:43:41 chiron-desktop-linux2 login[7411]: pam_unix(login:session):
session opened for user prajith by root(uid=0)
###
here is my ldap.conf
########
base dc=XXX,dc=XX
uri ldap://XX.XX.XX
ldap_version 3
pam_lookup_policy yes
pam_password md5
pam_password exop
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,clamav,colord,daemon,dansguardi
an,dnsmasq,festival,games,gnats,guest-yRzqOV,hplip,imspector,irc,kernoops,libuuid,libvir
t-dnsmasq,libvirt-qemu,lightdm,list,lp,mail,man,messagebus,mysql,new
s,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,swift,sync,sys,syslog,usbmux
,uucp,whoopsie,www-data
#######
Best Regards,
Prajith
http://prajith.in
--
9 years, 2 months
lmdb maturity
by Jeff D'Angelo
Hi folks,
Would anyone want to comment on the maturity of lmdb?
I've been mostly swayed by the compelling technical arguments for it for
most purposes of an instance of OpenLDAP, by whitepapers and benchmarks.
I've yet to read many real complaints/known major issues against it.
But still today, the manual pages for hdb and lmdb state hdb remains the
preferred normal use database backend. There's also the future file
[in]compatibility bit in the slapd-mdb man page.
Any thoughts on when lmdb may be declared "good enough for production
loads" and/or the default recommended backend?
Thanks!
--
Jeff
9 years, 2 months
slapd shuts down for no reason
by GALAMBOS Daniel
Hi,
We recently left the debian openldap, and compiled the 2.4.39 and
installed on our servers.
The old slapd failed multiple times a day, and now the new one too.
The log says:
Mar 15 07:06:25 ldap1 slapd[2798]: daemon: shutdown requested and initiated.
Mar 15 07:06:25 ldap1 slapd[2798]: conn=72598 op=1 DISCONNECT tag=120
err=52 text=
...
Mar 15 07:06:25 ldap1 slapd[2798]: conn=72570 op=3 DISCONNECT tag=120
err=52 text=
Mar 15 07:06:25 ldap1 slapd[2798]: conn=72583 fd=45 closed (slapd shutdown)
....
Mar 15 07:06:25 ldap1 slapd[2798]: conn=72602 fd=59 closed (slapd shutdown)
Mar 15 07:06:25 ldap1 slapd[2798]: conn=72603 fd=60 closed (slapd shutdown)
Mar 15 07:06:25 ldap1 slapd[2798]: slapd shutdown: waiting for 0
operations/tasks to finish
Mar 15 07:06:25 ldap1 slapd[2798]: slapd stopped.
I've run out of the ideas.
The configure was with the following switches: --enable-crypt
--enable-spasswd --enable-modules --enable-ppolicy --enable-syncprov
--enable-unique --with-cyrus-sasl using libdb5.1-dev (deb 5.1.29-5)
Can you give me some pointers where to search for errors?
thanks,
Dancsa
9 years, 2 months
Fw: Salted hashes
by espeake@oreillyauto.com
I have been doing some reading on the salted hash and I know that I never
setup a salt for servers. We are doing some documentation for our security
people and the question came up about the salt and if it differs for each
user, or if the same salt is used?
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
(417) 862-2674 Ext. 1975
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
9 years, 2 months
Re: Antw: Re: Question on replication files.
by Joshua Schaeffer
Not to beat a dead horse and not to bash on Debian (personally Debian is
the only distro I use), but to further help other people make a decision as
to which version they should/may want to install: the slapd package
included with Debian or the latest version from source:
The Debian community is fully aware of the numerous issues with their
OpenLDAP package and acknowledges that it needs work, they have also been
asking for help with OpenLDAP for some time (1878 days according to their
"work-needing packages" list):
openldap (#512360), requested 1878 days ago
Description: OpenLDAP server, libraries, and utilities
Reverse Depends: 389-admin 389-ds-base 389-ds-base-dev
389-ds-base-libs 389-dsgw adcli alpine am-utils aolserver4-nsldap
apache2-bin (200 more omitted)
Installations reported by Popcon: 163954
As the entry specifies bug #512360 in the BTS gives additional
information about what work is needed:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512360
Thanks,
Josh
On Mon, Mar 17, 2014 at 11:32 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Monday, March 17, 2014 9:00 AM +0100 Ulrich Windl <
> Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>
> Dieter Klünter<dieter(a)dkluenter.de> schrieb am 14.03.2014 um 21:50 in
>>>>>
>>>> Nachricht
>> <20140314215009.33f39aee(a)pink.avci.de>:
>>
>>> Am Fri, 14 Mar 2014 09:27:10 +0100
>>> schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>:
>>>
>>> >>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 13.03.2014 um
>>>> >>> 19:03 in
>>>> Nachricht <34E9E18C6D0A7C6D92162635(a)[192.168.1.46]>:
>>>> > --On Thursday, March 13, 2014 1:56 PM -0500 espeake(a)oreillyauto.com
>>>> > wrote:
>>>> >
>>>> >> Version 2.4.31-1+nmu2
>>>> >>
>>>> >> Plain syncrepl.
>>>> >>
>>>> >> As I said I hope to be upgrading to the latest version in the next
>>>> >> couple of months. Right now I need to get through this problem
>>>> >> the best I can.
>>>> >
>>>> > Known issue with 2.4.31. Solution is to upgrade and stop using the
>>>> > crap shipped by Debian. The LTB project now has a deb repository
>>>> > for their builds, I'd advise investigating switching to using it.
>>>>
>>>>
>> A: >> One could also file a bug report for Debian, I guess.
>>
>>>
>>>
>> B: > Rubbish, have you ever seen a Debian or Ubuntu maintainer posting to
>>
>>> this mailing list?
>>>
>>
>> C: > Actually there is no qualified Debian or Ubuntu maintainer.
>>
>> What has A to do with B, and how can you conclude C from A or B?
>>
>
> B obviously has to do with A. A qualified maintainer would maintain some
> presence with the upstream project.
>
> C you can conclude from years of interacting with the Debian project, like
> I have.
>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Architect - Server
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
9 years, 2 months
RE: slapd shuts down for no reason
by Christian Kratzer
Hi,
On Tue, 18 Mar 2014, Borresen, John - 0442 - MITLL wrote:
> Only for logrotate.
of which logs exactly ?
> The -HUP in the logrotate.conf was not working. Even
> on the command line kill the slapd process with a -HUP was not working.
> Putting the /etc/init.d/slapd stop; sleep 5, /etc/init.d/slapd start does
> make sense when nothing else was working. We tried numerous different
> iterations, this was the only thing that worked for us. It worked...so,
> thus it makes sense.
restarting slapd does not make sense for syslog aus syslog has the file
handle open, not slapd.
>From my understanding it also does not make sense for auditlog.
Greetings
Christian
>
> -----Original Message-----
> From: Christian Kratzer [mailto:ck-lists@cksoft.de]
> Sent: Tuesday, March 18, 2014 8:51 AM
> To: Borresen, John - 0442 - MITLL
> Cc: Hallvard Breien Furuseth; openldap-technical(a)openldap.org
> Subject: RE: slapd shuts down for no reason
>
> Hi,
>
> On Tue, 18 Mar 2014, Borresen, John - 0442 - MITLL wrote:
>
>> Fall back to legacy unix...sorry logrotate is more appropriate. Yes,
>> yours is very similar to how ours looked and it would stop the daemon
>> fine, and rotate the log but would not restart. I modified it to look
> like this:
>>
>> ....
>> /etc/init.d/slapd stop; sleep 5; /etc/init.d/slapd start
>
> why are you stopping and starting slapd ? This does not make any sense.
>
> Greetings
> Christian
>
>> ....
>>
>> Commenting out the "/bin/kill -s HUP syslogd".
>>
>> Now, it does what it is supposed to do.
>>
>> John
>>
>> -----Original Message-----
>> From: Hallvard Breien Furuseth [mailto:h.b.furuseth@usit.uio.no]
>> Sent: Tuesday, March 18, 2014 4:26 AM
>> To: Borresen, John - 0442 - MITLL
>> Cc: openldap-technical(a)openldap.org
>> Subject: RE: slapd shuts down for no reason
>>
>> On Mon, 2014-03-17 at 08:30 -0400, Borresen, John - 0442 - MITLL wrote:
>>> We had a similar issue a few months back. I discovered that it was
>>> dying at about the same time. Come to find out it was syslog
>>> rotation that was doing it. Syslog sends a HUP signal to rotate the
>>> logs and restart a daemon. I had to put a sleep statement in the syslog
> for slapd.
>>
>> Your syslog rotates logs? On our host (RedHat) it's logrotate which
>> does that. And it's logrotate which must kill -HUP syslogd, to make
>> syslogd close and reopen the log. From logrotate.conf:
>>
>> notifempty
>> missingok
>> create 0640 ldap cerebrum
>> start 0
>>
>> /ldap/log/syslog/openldap.log {
>> size=250M
>> rotate 2500
>> compress
>> delaycompress
>> lastaction
>> /bin/kill -s HUP syslogd
>> endscript
>> }
>>
>>
>
>
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
9 years, 2 months
Re: Antw: Re: Question on replication files.
by Quanah Gibson-Mount
--On Monday, March 17, 2014 9:00 AM +0100 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> Dieter Klünter<dieter(a)dkluenter.de> schrieb am 14.03.2014 um 21:50 in
> Nachricht
> <20140314215009.33f39aee(a)pink.avci.de>:
>> Am Fri, 14 Mar 2014 09:27:10 +0100
>> schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>:
>>
>>> >>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 13.03.2014 um
>>> >>> 19:03 in
>>> Nachricht <34E9E18C6D0A7C6D92162635(a)[192.168.1.46]>:
>>> > --On Thursday, March 13, 2014 1:56 PM -0500 espeake(a)oreillyauto.com
>>> > wrote:
>>> >
>>> >> Version 2.4.31-1+nmu2
>>> >>
>>> >> Plain syncrepl.
>>> >>
>>> >> As I said I hope to be upgrading to the latest version in the next
>>> >> couple of months. Right now I need to get through this problem
>>> >> the best I can.
>>> >
>>> > Known issue with 2.4.31. Solution is to upgrade and stop using the
>>> > crap shipped by Debian. The LTB project now has a deb repository
>>> > for their builds, I'd advise investigating switching to using it.
>>>
>
> A: >> One could also file a bug report for Debian, I guess.
>>
>
> B: > Rubbish, have you ever seen a Debian or Ubuntu maintainer posting to
>> this mailing list?
>
> C: > Actually there is no qualified Debian or Ubuntu maintainer.
>
> What has A to do with B, and how can you conclude C from A or B?
B obviously has to do with A. A qualified maintainer would maintain some
presence with the upstream project.
C you can conclude from years of interacting with the Debian project, like
I have.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 2 months
public ssh key access
by Ivan Upsons
dear all,
i have openldap 2.4 running and phpldapadmin configured. one challenge i am
facing is on how to include ssh keys to aid my authentication.
i am running ubuntu 12.04.
any ideas on how to go about this?
Kind Regards
Ivan
9 years, 2 months
Question on replication files.
by espeake@oreillyauto.com
We are having an issue with some users not replicating to all of servers.
I have MMR setup with three nodes and there are a few times that a user is
has an attribute changed, i.e. supervisor, and the change is replicated to
one server and not to another. So the information is correct on 2 of 3
servers. My question is this after running a very long diff against two
ldif's created by slapcat of the replication database. Shouldn't the
replication databases be the same? The issues do happen with every change
and every user, just a few times.
I am n ot on the latest version and I cannot upgrade to the latest version
with a better kernel until our staff upgrades our VM server due to
migration issues with the kernel I would like have. We are on ubuntu 12.04
and if we can get the VM server updated soon we will start testing 14.04
when it is released.
Any suggestions on a good way to test besides the obvious of turning on
logging for sync which I have done in out test environment for now.
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
(417) 862-2674 Ext. 1975
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
9 years, 2 months
two entries, the same attribute
by Friedrich Locke
Hi folks,
i am planning to use opendalp to build my email infra structure. What
happens is two users (two entries) hold the same email address ?
Thanks in advance.
Best regards,
gustavo.
9 years, 2 months