No "known good" password found for the user. Not setting Auth-Type
by MichaelLeung
hi list
i was trying to deploy freeradius + openldap ,and got warning like this
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "known good" password added. Ensure the admin
user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
the ldap account i added to radius configuration file was not the LDAP
Manager account ,
but when i change the account to LDAP Manager user , the warning would
not be shown again , and the pass authentication challenge.
how can i authorize a normal ldap account can read userPassword
attribute , then i can add the account to those system which need LDAP .
6 years, 4 months
DB_LOG_AUTOREMOVE fails to suppress the log files
by jupiter
Hi,
I am running openldap servers 2.4.40 with bdb on CentOS 6, it creates 10 MB
log file in every 2 - 3 minutes, no surprisingly, it fills up the disk
quickly.
To fix the issue, I added following statement to DB_CONFIG, restarted
splapd, but it does not seem work, the log files are still glowing and
creating. Could anyone help please why the DB_LOG_AUTOREMOVE is unable to
stop log files? Sorry for posting it to different lists as we are not be
able to run the ldap server when it fills up the disk so quickly.
set_flags DB_LOG_AUTOREMOVE
Thanks for your helps.
Kind regards,
6 years, 4 months
rewrite overlay to combine multiple OUs
by Nick Couchman
Well, I have a situation (a particular application, actually), that is so arcane in its configuration that it requires that all of the users for the application be in the same OU. So, the config for the app is something like:
CN=%USERNAME%,ou=Users,dc=example,dc=com
So, the application substitutes in the %USERNAME% value with the actual username, and then does a bind with the supplied password. My tree is a little more complicated than that - another dc level or two and several different ou=People places - something like this:
ou=People,dc=engineering,dc=example,dc=com
ou=People,dc=administration,dc=example,dc=com
ou=People,dc=operations,dc=example,dc=com
etc.
with all of the users located under the ou=People branches of the tree. What I'm hoping is that there's some way that I can virtually combine the ou=People locations in my LDAP tree such that, when the application requests cn=Nick,ou=users,dc=example,dc=com, it goes out and searches through either the entire dc=example,dc=com tree or goes through and looks at each of the ou=People locations until it finds it and transparently redirects, allowing this application to function correctly in its stupid configuration, but without me having to create a bunch of aliases in a single location in my tree, or, worse, actually reorganize my tree.
I'm thinking there's probably a way to do this with the rewriteRule and some regular expressions, but I can't find quite the combination of rules/expressions to accomplish this. Any ideas? Or am I stuck making aliases?
Thanks,
Nick
==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.
6 years, 4 months
Replication of local entries with translucent overlay
by Igor
Hello,
I have an openLDAP proxy server which uses the translucent overlay to
supplement Active Directory records with additional attributes. I
wanted to set up replication for my translucent entries (specifically,
push-based provider/consumer scheme, refreshAndPersist mode).
Since slapo-translucent turns off maintenance of the entryCSN and
entryUUID attributes (turns off the lastmod option in the
translucent_db_init function), it cannot be used with slapo-syncprov
(which requires entryCSN and entryUUID attributes).
I understand that to make these two overlays work together in all
scenarios may not be trivial. However, for my specific scenario, it
seems to be enough to just comment out that line which turns off
lastmod:
==============
---
servers/slapd/overlays/translucent.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/servers/slapd/overlays/translucent.c
b/servers/slapd/overlays/translucent.c
index 48cca49..45b45a0 100644
--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -1282,7 +1282,7 @@ static int translucent_db_init(BackendDB *be,
ConfigReply *cr) {
return 1;
}
SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NO_SCHEMA_CHECK;
- SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD;
+// SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD;
return 0;
}
--
1.7.1
==============
Everything replicates correctly after that.
I don't expect anyone to scour the openLDAP code to come up with an
exhaustive list of potential bugs that may arise because of this. I
assume the risks that come with such a solution.
Having said that, can anyone think of any issues with commenting that
line in translucent_db_init, and setting entryCSN, entryUUID,
contextCSN attributes to be searched in local glue records only (via
olcTranslucentLocal)?
Thanks,
-Igor
6 years, 4 months
Users with multiple passwords?
by dev
Hello All,
I have OpenLDAP (2.4.31-1+nmu2ubuntu8.2) setup to authenticate users on
our LAN with ActiveDirectory using SASL passthrough.
I want to give some of these users access to VPN (OpenVPN) services
(auth with the same OpenLDAP server above) however I want to give them
an {SHA1} password to access the VPN.
I've created another OU (OU=vpnuser) and simply duplicated the entire
user entry into it. I have the VPN server using a searchbase of
"OU=vpnuser.." and things are working as I want... sort of..
Some software on the LAN finds two users in ldap now so I explicitly
exclude OU=vpnuser from searchbases (!OU=vpnuser). ugh..
Is there a better way to accomplish what I am trying to do? Give the
same user two different passwords in the ldap tree?
Thanks
6 years, 4 months
Re: ldapmodify hangs, slapd appears to be looping
by Quanah Gibson-Mount
If you're artificially stuck using RH's builds, then you'll need to contact
them for support.
--Quanah
--On Thursday, March 03, 2016 3:42 PM +0000 "Heinemann, Peter"
<phei(a)isc.upenn.edu> wrote:
> True, but unfortunately recommended practice collides with (artificial)
> standards....
>
> ________________________________________
> From: Quanah Gibson-Mount <quanah(a)zimbra.com>
> Sent: Thursday, March 3, 2016 10:37 AM
> To: Heinemann, Peter; openldap-technical(a)openldap.org
> Subject: Re: ldapmodify hangs, slapd appears to be looping
>
> --On Thursday, March 03, 2016 3:23 PM +0000 "Heinemann, Peter"
> <phei(a)isc.upenn.edu> wrote:
>
>>
>>
>>
>>
>> Openldap 2.4.40-6.el6_7
>
> As has been repeatedly mentioned on the list, please don't use RH's
> OpenLDAP builds. Please do use a current release. You may wish to look
> into using a build from the LTB project or Symas.
>
> <http://ltb-project.org/wiki/download#openldap>
> <https://symas.com/products/openldap-directory/>
>
> There were some known issues with mdb in 2.4.40 and 2.4.41 you may be
> triggering here.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
> A division of Synacor, Inc
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc
6 years, 4 months
ldapmodify hangs, slapd appears to be looping
by Heinemann, Peter
Openldap 2.4.40-6.el6_7
RHEL 6.7
mdb backend
ldapmodify is hanging; the hang first evidenced itself in a bulk update. The hang occurs even for a simple update -- with debug set to 1 on the ldapmodify statement (using interactive mode) the block of output listed at below repeats endlessly with no change to the values displayed. The slapd audit log shows no update for the intended record.
The problem started after I added a significant amount of data; not new structural objects (OUs) but many entries under them. Have I reached some sort of threshold?
I have:
- stopped/started slapd;
- run a full slapcat and slapadd to a new database
I am running the monitor database; would there be data of value there about this condition?
mdb_stats output:
sudo mdb_stat -ef /etc/openldap/openldap-data
Environment Info
Map address: (nil)
Map size: 8589934592
Page size: 4096
Max pages: 2097152
Number of pages used: 618975
Last transaction ID: 3647
Max readers: 126
Number of readers used: 0
Freelist Status
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 11
Entries: 7
Free pages: 5233
Status of Main DB
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 16
debug output from ldapmodify:
** ld 0x1ed4e30 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1ed4e30 request count 1 (abandoned 0)
** ld 0x1ed4e30 Response Queue:
Empty
ld 0x1ed4e30 response count 0
ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1
ldap_chkResponseList returns ld 0x1ed4e30 NULL
ldap_int_select
ldap_result ld 0x1ed4e30 msgid 2
wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x1ed4e30 msgid 2 all 1
** ld 0x1ed4e30 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Mar 3 10:04:05 2016
** ld 0x1ed4e30 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1ed4e30 request count 1 (abandoned 0)
** ld 0x1ed4e30 Response Queue:
Empty
ld 0x1ed4e30 response count 0
ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1
ldap_chkResponseList returns ld 0x1ed4e30 NULL
ldap_int_select
ldap_result ld 0x1ed4e30 msgid 2
wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x1ed4e30 msgid 2 all 1
** ld 0x1ed4e30 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Mar 3 10:04:05 2016
...etc
6 years, 4 months
OpenLDAP 2.4x Syncrepl setup
by Ted Hyde (RSI)
Greets - I'm trying to set up a new slave (consumer) server that would
test against an existing (read: legacy) Samba4 AD controller for LDAP
auth. The intent is to have the consumers as distributed HA-like setups
in the event that VPNs or full off-site network connectivity was lost,
users could still authenticate against the local LDAP services. (The
application auth is really quite simple in this case, just some php
grabbing a bunch of groups, not full AD work). In "ye olde days", I
could do this with slapd.conf, but I'm trying to upgrade my own
brain-software to understand OLC better, and am hitting a brick wall.
I'd really like to just have the following on each consumer server:
syncrepl rid=1
provider=ldap://ldap.example.com
type=refreshOnly
interval=00:00:00:30
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=root,dc=example,dc=com"
credentials=secret
updateref ldap://ldap.example.com
tailed to the end of what would have been a few more lines describing
the db for the consumer, but I've not found anywhere how to describe the
above snippet into an ldif file. I ran this snippet (names corrected of
course) through slaptest just to see if it could handle a partial, and
of course it failed (missing db schema) - but if I add the db schema as
a header, it fails because of the existing slapd.d directory. If I
delete the slapd.d directory and place this old format into slapd.conf,
restarting the service fails with a db import error. Yet, some of my old
2.2 configs run fine on 2.2 but fail on 2.4
The service does run, in that I can plow out an old config, start clean,
add sample users by hand etc, so at least it's a working server, it just
won't join to an existing one or pull a directory from another place.
The 2.4 Admin docs say to add the old schema to the slapd.conf file (as
I attempted above), but doesn't explore how to do it with OLC.
The goal would be to have consumer slapd's running at my off-sites that
act in the refreshOnly mode; push up technology is NOT required. Or
wanted, actually.
Suggestions welcome!
Thanks,
Ted.
6 years, 4 months