eDirectory LDAP To OpenLDAP Layout
by Shaun Glass
Good Day,
I am having to migrate from eDirectory to OpenLDAP as we getting rid of
eDirectory Services. When setting up OpenLDAP I have as example the
following :
cn=user,ou=Users,ou=Location,o=LDAP,dc=Company,dc=com
... but in eDirectory it was just :
cn=user,ou=Users,ou=Location,o=LDAP
OpenLDAP Would not let me create as above since I got the following error
when not initially creating a dc= :
LDAP: error code 53 - no global superior
The reason I need this is, is that the user that binds to LDAP on all
servers uses the notation :
cn=user,ou=Users,ou=Location,o=LDAP
... and we do not want to reconfigure all servers, several hundred of them.
Is there some way that we can partition so the above format can still be
used ?
Regards
6 years, 5 months
delta-synrepl consumer randomly delete objects
by Raffael Sahli
Hi
What can lead a consumer to "randomly" delete ~50% of all objects in his database?
I have this problem now for ~1-2months and on 3 different master/slave groups.
The consumer starts to delete objects (but those are all present on the master):
Oct 19 17:16:22 ldap-slave002.xxx slapd[8554]: do_syncrep2: rid=999 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Oct 19 17:16:22 ldap-slave002.xxx slapd[8554]: do_syncrep2: rid=999 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 9c802b18-7c2c-1033-9f25-2d4a65066d19, dn uid=jasmin.mans,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 650ada00-e996-1035-80ac-a173474274df, dn uid=jasmine.suddr,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID ec5c9aa4-7c2c-1033-9fa4-2d4a65066d19, dn uid=jonas.beffrnn,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 7461d22e-e996-1035-80f6-a173474274df, dn uid=juerg.klegegeli,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 758c744c-e996-1035-8100-a173474274df, dn uid=julia.sxgegegea,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 47e4f6b4-7c2d-1033-8015-2d4a65066d19, dn uid=karin.vivwvwe,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 8d26a4f2-7c2d-1033-807b-2d4a65066d19, dn uid=larissa.fewfewf,ou=none,o=dd,dc=xxx,dc=xxx
Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 98310aa4-7c2d-1033-808b-2d4a65066d19, dn uid=laura.cfwfew,ou=none,o=dd,dc=xxx,dc=xxx
syncrepl config:
olcSyncrepl: {0}rid=999 provider=ldap://ldap-master002.xxx.xxx:389 bindmethod=simple timeout=0 network-timeout=10 binddn="uid=replicator,ou=system,o=de,dc=xxx,dc=xxx"
credentials="pass" keepalive=0:0:0 starttls=yes tls_cacert="/etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem" tls_reqcert=allow filter="(objectClass=*)" searchbase="dc=xxx,dc=xxx" scope=sub attrs="*,+"
syncdata="accesslog" logbase="cn=accesslog_xxx" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=off type=refreshOnly interval="00:00:01:00" retry="10 5 60 +"
Misconfiguration? (We've been running this configuration for years...)
Workaround is to remove the whole mdb database and restart slapd to let it resync.
I've found some posts with a similar problem but those are all related to pre 2.4.21, we're running slapd 2.4.44.
Cheers
6 years, 5 months
Configuring a relatively simple translucent proxy to override/add group memberships.
by Jeff Wiegley
Hopefully somebody can help as I am new to OpenLDAP and I've spent the
whole day being overwhelmed
and totally confused by the configration of this beast. (How did it get
"Lightweight" as part of its name?)
The problem I have is that I have a group of computers in my research
lab at a university that I want
to allow login to for campus users. I want to authenticate the logins
against the campus LDAP server
but I want to augment/add group-membership to the results.
So for instance the campus LDAP server might authenticate a user named
"bob" and a unix groups command
for bob when logged in would show {"users", "student", "webuser"} but I
want my machines to log him with
his same campus credentials but see his group membership as
{"users", "student", "webuser", "research", "cloud"}.
From what I've read I can do this with the translucent overlay. The
problem is that I have no idea how to
get this working, let alone interface with the campus LDAP mess.
So far I can get users authenticated and logged in with authentication
solely against the campus LDAP
server but nothing about the local translucent proxy is even
understandable yet testable.
I have Ubuntu 16.04 and I installed ldap/slapd do by essentially doing:
apt-get install ldap-auth-client slapd ldap-utils
I see both /etc/ldap/slapd.d and /usr/share/slapd/slapd.conf installed.
And, as I said, I've got the machine configured via ldap.conf to
authenticate against the campus
LDAP server odir.csun.edu. But none of that even requires slapd
installed. . I realize I'll eventually
need to configure/understand slapd in order to allow it to authenticate
against my local server
but I'm totally lost in trying to figure that part out.)
Couple of questions to start:
1) Should I be making configuration changes in
/usr/share/slapd/slapd.conf or should I be using the
dynamic config thingy and ldapadd/ldapmodify?? Several things I read say
use ldapmodify but then
EVERY example about translucent proxies that I can find demonstrate with
slapd.conf. In fact almost
every tutorial I've read is entrenched in slapd.conf.
2) How do I set up translucent overlay to proxy to the campus ldap
server without making any
changes to the results? If we could start there than maybe I could start
getting a handle on at least
a little understanding of how this starts to work.
Thanks for any help,
Jeff
6 years, 5 months
Re: Disable Linux commands for LDAP users
by Mauricio Tavares
I think there was something called ldap-sudo, but there might be other ways
to do it.
On Oct 21, 2016 4:39 PM, "Bernard Fay" <bernard.fay(a)gmail.com> wrote:
Hi,
I would like to able to disable some Linux commands for LDAP users. One of
those commands is passwd. Because of some specific needs, when the LDAP
users have to change their password a special script has been created for
this purpose. They MUST not use passwd but this command is still required
by local users.
Does one of you might have an idea to disable Linux commands for LDAP users
only?
Thanks,
Bernard
6 years, 5 months
slapo-rwm documentation
by Ralf Mattes
Dear collected list wisdom,
I have successfully set up a relay database with Rwm suffix massaging. Now, for a client
app I need to transform gorupOfNames into posixGroups and member attributes into memberUID.
I was able to do the objectclass/attribute transformation with olcRwmMaps but now I need to
transform the attribute _values_ (i.e. I need to strip the DN-valued member values to get
uids). From the existing documentation I can't find out how to restrict a rwm-RewriteRule to
(certain) attributes. Any help?
TIA Ralf Mattes
6 years, 5 months
Public LDAP server, what do I need to know?
by John Lewis
I want to host a LDAP server that contains a directory that contains the
offices of local Representatives and Public Servants, the issues they
are responsible for, and their names. I would like anyone who wants to
to browse it or put up front ends.
Is there anything in particular that I should keep in mind?
6 years, 5 months
openldap 2.4.40 on RHEL7
by Real, Elizabeth (392K)
Hello,
Quick question about replication, I’m setting up an ldapclient to talk to my two LDAP servers which are replicating fine.
To be able to talk to both LDAP servers, do I need to scp the server certificate (cert.pem) from both servers into the ldapclient /etc/openldap/cacerts directory? I’m looking at this documentation to configure the ldap client using sssd: https://www.certdepot.net/ldap-client-configuration-authconfig/
Thank you,
Liz
6 years, 5 months
Re: group membership search performance
by Quanah Gibson-Mount
--On Friday, October 14, 2016 1:13 PM +0200 Rébeli-Szabó Tamás
<tamas.rebeli.szabo(a)webvalto.hu> wrote:
> Hi Quanah,
>
> yes, it takes 5–7 seconds for each search.
I believe that's a general known issue with very large groups. I
personally moved to using dynamic groups via slapo-dynlist for a variety of
reasons, performance being one. You may want to test in a dev environment
if your issues go away if you move to dynamic groups instead.
--Quanah
--
Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
Re: group membership search performance
by Quanah Gibson-Mount
--On Wednesday, October 12, 2016 10:11 PM +0200 Rébeli-Szabó Tamás
<tamas.rebeli.szabo(a)webvalto.hu> wrote:
> Hi,
>
> we are on OpenLDAP 2.4.41 + MDB, Oracle Linux 6 (2.6 x86_64).
>
> In our DIT we have around 300 groups, with tens of thousands of members
> in each group. When we want to know which groups a certain user belongs
> to, it takes OpenLDAP several seconds to perform such a search.
>
> Here is a log excerpt showing that it took 6 seconds for the server to
> answer:
>
> Oct 10 15:39:38 ldap-srv1 slapd[14776]: conn=1062 op=1 SRCH
> base="ou=groups,dc=tt,dc=hu" scope=1 deref=0
> filter="(&(uniqueMember=uid=o10011,ou=users,dc=tt,dc=hu)(objectClass=grou
> pOfUniqueNames))"
> Oct 10 15:39:44 ldap-srv1 slapd[14776]: conn=1062 op=1 SEARCH RESULT
> tag=101 err=0 nentries=127 text=
>
> We have eq indices on objectClass and uniqueMember, and the latter is
> also listed after sortvals.
>
> The machine running OpenLDAP has 2 virtual cores of Intel Xeon E5 2637 v2
> (3.5GHz). During such searches, one of the CPU cores is almost fully
> loaded, but the system is not overloaded (the average load is around
> 0.8). Our whole dataset is under 1 GB, and there are several gigabytes
> of free RAM with no swapping.
>
> Our expectation would be for OpenLDAP to give an answer to a group
> membership question under 1 second. Is that a realistic expectation, and
> if so, how should we tune OpenLDAP or what do you suggest we change?
> Version 2.4.41 is more than a year old, so the question is if there is
> any significant performance enhancement (an order of magnitude) possible
> with this setup described above, or that's about all we can get from
> OpenLDAP+MDB (or perhaps any in-memory LDAP)?
Does it always take 6 seconds to return the 127 group entries that match,
or is that only on the first search?
--Quanah
--
Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
OpenLDAP server attack surface analysis shows UDP port 63515 in unknown state
by Sreekanth Sukumaran
Sorry, I missed to add subject in the last mail. Resending with subject.
sorry about spamming the group
Hi All,
OpenLDAP version : 2.4.39 on windows
Tool used : Microsoft Attack surface analyzer
We have been doing attack surface analysis on OpenLDAP server, and we have
found that there is an UDP port 63515 associated with OpenLDAP server.
(state shows "Unknown", not listening or established)
[image: Inline image 1]
We have not connected any clients to OpenLDAP server, so we cannot think of
it as an ephemeral port at server end as well.
Has anyone an idea on what this port could be for. Inputs are much
appreciated.
--
Regards,
Sreekanth
--
Regards,
Sreekanth
09036794524
6 years, 5 months
