openldap-technical June 2015

openldap-technical@openldap.org

50 participants
49 discussions

mulitple URI for failed TLS connection
by Daniel Jung 22 Jun '15

22 Jun '15

Hi, Using openldap-2.4.39. Just want to confirm that its normal behaviour for ldapsearch(CLI) to fail on the first attempt and not to use the next server in URI setting? I can see the SSSD handles TLS failure better by querying the next server in the URI. Cheers,

1 0

group email addresses
by Brendan Kearney 22 Jun '15

22 Jun '15

i have done some reading, and it seems that no official standard exists for group email addresses. to that end, i am looking to enlighten myself about what is done to provide mail addresses for groupOfNames groups. i would imagine there is some overlap between what many or most folks do and that would be a good starting point for me. i figure its something like "you have 7 steps to perform, and everyone does step 1,2,3 and 5 the same way. the rest, you are on your own for." i want to setup mailboxes for these groups, for example: cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com cn=ldapEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com these are groupOfNames structural groups, with top and posixGroup classes as aux. where do most folks begin, when setting up group mailboxes? i found a schema that is not official and has been extended with the same names but different numerical OIDs. I am not sure if this is the right path to follow, or if something more "standards focused" is appropriate. any help is appreciated. thanks, brendan

5 7

LDAPCon 2015 submission deadline approaching
by Andrew Findlay 19 Jun '15

19 Jun '15

LDAPCon 2015 will be held in Edinburgh on 11-13 November. The submission deadline for paper and tutorial proposals is 28th June so you have just one week to send us your ideas: http://ldapcon.org/2015/?page_id=5 Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

best attr for multiple fields in one TAB-separated field ..
by lejeczek 18 Jun '15

18 Jun '15

.. which would be mail related, can somebody recommend? many thanks. P.

1 0

does slapd store/cache TLS certs
by lejeczek 18 Jun '15

18 Jun '15

hi everybody, I could not connect to slapd, command would fail with infamous: TLS: error: connect - force handshake failure: errno 0 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file I was positive about certs, restarted daemons, looked at other obvious places, etc. - nothing. Only after I removed database & config files, recreated/restarted the whole slap it worded. Would it be that slapd caches certificates somewhere and does not re-read those upon restart? many thanks

2 2

open ldap meta backend empty search
by Pierluca Marino 17 Jun '15

17 Jun '15

Hi, I have a problem with meta backend feature. I need to get data from two different LDAP under a unique dn. The two ldap are an active directory and another ldap that should be on the same Open LDAP instance of the meta backend. Actually to test the solution I'm usind Open LDAP Windows version. This is my sladp config: # LDIF Backend configuration file # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/nis.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/dyngroup.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args # Enable TLS if port is defined for ldaps TLSVerifyClient never TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCertificateFile ./secure/certs/server.pem TLSCertificateKeyFile ./secure/certs/server.pem TLSCACertificateFile ./secure/certs/server.pem ####META database meta suffix "dc=proxy,dc=company,dc=it" rootdn "cn=Manager,dc=proxy,dc=company,dc=it" rootpw "secret" uri "ldap://adhost:390/dc=proxy,dc=company,dc=it" suffixmassage "dc=proxy,dc=company,dc=it" "dc=company,dc=cosmag,dc=it" lastmod off idassert-bind bindmethod=simple binddn="cn=Manager,dc=company,dc=cosmag,dc=it" credentials="password" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=proxy,dc=company,dc=it" acl-authcDN "cn=Manager,dc=company,dc=cosmag,dc=it" acl-passwd "password" uri "ldap://localhost:389/dc=proxy,dc=company,dc=it" suffixmassage "dc=proxy,dc=company,dc=it" "dc=portal,dc=company,dc=it" lastmod off idassert-bind bindmethod=simple binddn="cn=Manager,dc=portal,dc=company,dc=it" credentials="secret" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=proxy,dc=company,dc=it" acl-authcDN "cn=Manager,dc=portal,dc=company,dc=it" acl-passwd "secret" ####################################################################### # ldif database definitions ####################################################################### database ldif directory ./ldifdata suffix "dc=portal,dc=company,dc=it" rootdn "cn=Manager,dc=portal,dc=company,dc=it" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}Bww72HPj9nrNxrLAQxuTqP1Z0zuafPPd The server start normally, but when I do a search starting from base dn "dc=proxy,dc=company,dc=it" nothing is returned: ldapsearch -H ldap://localhost:389 -x -D "cn=Manager,dc=proxy,dc=company,dc=it" -W -b "dc=proxy,dc=company,dc=it" -s base -a always -z 1 "(objectClass=*)" "hasSubordinates" "objectClass" # baseObject : dc=proxy,dc=company,dc=it # scope : baseObject (0) # derefAliases : derefAlways (3) # sizeLimit : 1 # timeLimit : 0 # typesOnly : False # filter : (objectClass=*) # attributes : hasSubordinates objectClass #!SEARCH RESULT DONE (32) OK #!CONNECTION ldap://localhost:389 #!DATE 2015-06-16T07:38:21.970 # numEntries : 0 Server log returns: conn=1000 op=6 <<< meta_back_search_start[1]=0 conn=1000 op=6 meta_back_search: ncandidates=0 cnd="**" conn=1000 op=6 meta_back_search: base="dc=proxy,dc=company,dc=it" scope=0: no candidate could be selected send_ldap_result: conn=1000 op=6 p=3 send_ldap_response: msgid=7 tag=101 err=52 Where is my mistake? There is something that I have missed in configuration? Best Regards Pierluca

1 0

proxy to AD does not work during login client machine
by Leo Xiao 17 Jun '15

17 Jun '15

Hi technical, I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed. when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully. I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much. Below is my slapd.conf: ####################################################################### # database definitions ####################################################################### database ldap suffix "DC=mydomain,DC=local" uri ldap://dc-ad.mydomain.local/ chase-referrals no rebind-as-user yes idassert-bind bindmethod=simple binddn="CN=open,OU=users,DC=mydomain,DC=local" credentials=open mode=none flags=non-prescriptive idassert-authzFrom "*" Thanks, Leo

2 4

authentication with SSL
by Bharath K 16 Jun '15

16 Jun '15

i am trying to accesses on specific web pages and use LDAP users for authentication with SSL connection.but i am getting error like my username which is stored in ldap database user name:cdac password:cdac123 but when i authenticate i am getting below error user cdac: authentication failure for "/": Password Mismatch [2446] auth_ldap authenticate: user test1 authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials] please help me..............

1 0

problem using redundant ldap servers with keystone
by Chris Card 15 Jun '15

15 Jun '15

Hi, I have an HA OpenStack installation with a keystone domain backed by an LDAP server. I want to make the installation resilient in the case of an LDAP server failure, so I have configured keystone with a space-separated list of LDAP server urls in the [ldap] url option. This configuration appears to work well if I e.g. stop slapd on one of the LDAP servers - I can login to horizon as a user from the LDAP directory as long as one of the LDAP servers is running slapd. But if I shutdown one of the LDAP servers, login to horizon fails and the browser (chrome in this case) says "No data received". I've turned on debug logging in keystone, and as far as I can see the LDAP requests are still working; indeed cli commands like "openstack user list --domain <domain>" which get data from LDAP still work. Any ideas? [openstack juno, centos 7, keystone and horizon running as wsgi apps under Apache] Chris

1 1

AW: problem with olcAccess - can not change own userPassword field
by Stefan Bauer 14 Jun '15

14 Jun '15

Hi Ryan, thank you. Stefan -----Ursprüngliche Nachricht----- Von: Ryan Tandy <ryan(a)nardis.ca> Gesendet: Son 14 Juni 2015 00:59 An: Stefan Bauer <sb(a)plzk.de> CC: openldap-technical(a)openldap.org Betreff: Re: problem with olcAccess - can not change own userPassword field On Thu, Jun 11, 2015 at 02:12:19PM +0200, Stefan Bauer wrote: >olcAccess: {0}to * by * read by * break "by * read" matches everyone, and stops. "by * break" is never reached. >olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword by self write by * break This rule is never reached, because everyone is matched by "by * read" (with "stop" implicit) above.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2015