openldap-technical February 2016

openldap-technical@openldap.org

56 participants
68 discussions

openSUSE packages (was: OpenLDAP 2.4.44 available)
by Michael Ströder 06 Feb '16

06 Feb '16

OpenLDAP Project wrote: > OpenLDAP 2.4.44 is now available for download For the impatient the updated openSUSE packages for OpenLDAP 2.4.44 are available in my build service home project: https://build.opensuse.org/package/show/home:stroeder:branches:network:ldap… The download repos for various versions: http://download.opensuse.org/repositories/home:/stroeder:/branches:/network… Ciao, Michael.

1 0

slapo-auditlog parsing tools?
by Chris Cook 05 Feb '16

05 Feb '16

I’m looking for a parsing tool for the logs generated by the auditlog overlay. Something more contextually aware and multiline then the string of greps I’ve accustomed myself to, but nothing as deep as a full ELK stack. Thanks Chris

2 1

LDAP and SELINUX
by Borresen, John - 0444 - MITLL 03 Feb '16

03 Feb '16

Does anyone out there in OpenLDAP land have experience with working with OpenLDAP and SELINUX? Running OpenLDAP 2.4.43 on a CentOS 7 VM. SELINUX is squashing client authentication connectivity - with SELINUX in enforcing, and a user fails login (No Such User) - nothing at all in the LDAP logs the only error is in the system auth.log. It acts as if the system authentication process does not pass off to LDAP when the user is not found locally; with SELINUX in Permissive, the user authenticates with the LDAP Server with no problems. If there is anyone who has been down this road it would be very much appreciated. Sincerely, John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

2 2

problem with slapadd in migrating LDAP servers
by k j 02 Feb '16

02 Feb '16

Hello to all. My situation is the following. Migrating from an older Suse server : # rpm -qa | grep -i openldap openldap2-2.4.12-7.19.1 openldap2-client-2.4.12-7.19.1 to a New RHEL 6.6 server: # rpm -qa |grep ldap mod_authz_ldap-0.26-16.el6.x86_64 sssd-ldap-1.11.6-30.el6_6.4.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 openldap-clients-2.4.39-8.el6.x86_64 openldap-2.4.39-8.el6.x86_64 openldap-servers-2.4.39-8.el6.x86_64 compat-openldap-2.3.43-2.el6.x86_64 My exported information looks to be in order, has 47,000 lines but when I try to import it I run into trouble. ldapadd -x -D "cn=administrator,dc=mydomain,dc=com" -W -f nis.ldif.ldapDump When prompted for a password I am using the password from the old server (Suse) and that fails, thinking that no password has been setup on the new server I tried an empty password and that also failed. Next I tried setting a new password 'ldappasswd Testing123' but that gave a SASL failure GSSAPI error :( additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Am I going down the wrong road or what? Thanks for any help,KJ

2 5

Fwd: openldap.org mailing list memberships reminder
by Phill Edwards 01 Feb '16

01 Feb '16

I received this today and was shocked to see my password in the email. In this day and age a technology group like this should know far better than to do that. It's bad enough you keep unencrypted passwords, but then to send them our in an email is reckless and irresponsible. Regards, Phill Edwards ---------- Forwarded message ---------- From: <mailman-owner(a)openldap.org> Date: 1 Feb 2016 4:24 PM Subject: openldap.org mailing list memberships reminder To: <philledwards(a)gmail.com> Cc: > This is a reminder, sent out once a month, about your openldap.org > mailing list memberships. It includes your subscription info and how > to use it to change it or unsubscribe from a list. > > You can visit the URLs to change your membership status or > configuration, including unsubscribing, setting digest-style delivery > or disabling delivery altogether (e.g., for a vacation), and so on. > > In addition to the URL interfaces, you can also use email to make such > changes. For more info, send a message to the '-request' address of > the list (for example, mailman-request(a)openldap.org) containing just > the word 'help' in the message body, and an email message will be sent > to you with instructions. > > If you have questions, problems, comments, etc, send them to > mailman-owner(a)openldap.org. Thanks! > > Passwords for philledwards(a)gmail.com: > > List Password // URL > ---- -------- > openldap-technical(a)openldap.org <removed> > http://www.openldap.org/lists/mm/options/openldap-technical/philledwards%40…

4 3

openldap on scientific linux
by Mary Kao 01 Feb '16

01 Feb '16

Hello, I am setting up Openldap on scientific linux version 6.7. Is it better to use the install packages e.g. yum install openldap-servers openldap-clients or to download the openldap source, and compile on my system? Thank you.

2 1

Re: Removing olcAccess entry
by Katherine Faella 01 Feb '16

01 Feb '16

On Tue, Jan 12, 2016 at 2:47 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, January 12, 2016 2:38 PM -0500 Katherine Faella <kmf(a)uri.edu> > wrote: > > Which is where I am having trouble. I believe that deleting the {0} >> element should keep the {1} and move it up to the correct position. >> > > I do this extensively, and it works fine. What OpenLDAP release are you > on? > > --Quanah > > > I was afraid you were going to ask that. We are running the Redhat 6 supported 2.4.40-7.el6_7. We have a policy here of sticking with the redhat supported releases of packages since our staff is so small. I really need to resolve this for an important project here. Of course the project is behind schedule and I am left with little time to get my stuff working. I was hoping my syntax was just incorrect. The only other way I can image fixing this is to revert to slapd.conf .... I guess the good news is that my steps and syntax look okay to you. If you have any other thoughts I would happily accept them. Thanks, Kathy -- Katherine Faella tel: (401) 874-4469 Senior Technical Programmer kmf(a)uri.edu University of Rhode Island University Computing Systems(UCS) 210 Flagg Road Kingston, Rhode Island

2 2

Re: [OpenLDAP][Authentication] SASL
by Timothy Keith 01 Feb '16

01 Feb '16

My scenario is relatively simple. The user authentication and LDAP directory for our local application is managed on corporate servers for which we lack administrative rights. We wish to maintain a local view of the LDAP directory for the information that our local application requires, but not alter the user authentication on the corporate servers. Tim On Thu, Jan 21, 2016 at 6:21 PM, Sergio NNX <sfhacker(a)hotmail.com> wrote: >> I am new at LDAP , that is obvious I guess. But, I've been around Unix >> for 30 years. > > Are we still having issues? We might be able to assist you if you describe > your set up and your goal in more detail. > > Cheers, > > Ser. > >> Date: Thu, 21 Jan 2016 14:31:28 -0600 >> From: dwhite(a)cafedemocracy.org >> To: timothy.g.keith(a)gmail.com >> Subject: Re: pass-through authentication >> CC: dwhite(a)cafedemocracy.org; openldap-technical(a)openldap.org >> >> You can view your config with: >> >> slapcat -n0 >> >> And verify that object exists. >> >> If you're receiving this error due to an ACL problem, verify you >> have the proper configuration in place to authenticate as the rootdn using >> sasl/external. See the slapd-config manpage, and see section 15.2 (and in >> particular 15.2.5) of the Administrator's guide, and reference your >> OS/distro documentation. >> >> On 01/21/16 12:35 -0600, Timothy Keith wrote: >> >I commented the mech_list in slapd.conf >> > >> >The ldapsearch result is now No such object >> > >> >ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config >> >"(|(cn=config)(olcDatabase={1}hdb))" >> >No such object (32) >> > >> >On Fri, Jan 8, 2016 at 2:34 PM, Dan White <dwhite(a)cafedemocracy.org> >> > wrote: >> >> On 01/07/16 17:24 -0600, Timothy Keith wrote: >> >>> >> >>> ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config >> >>> "(|(cn=config)(olcDatabase={1}hdb))" >> >>> ldap_sasl_interactive_bind_s: Authentication method not supported (7) >> >>> additional info: SASL(-4): no mechanism available: >> >> >> >> >> >> I'm missing some context here. Most likely you have a mech_list hard >> >> coded >> >> in your slapd.conf sasl, which does not include the external mech. >>

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016