openldap-technical April 2016

openldap-technical@openldap.org

40 participants
56 discussions

Offline modification in replicated environment
by Ryan Tandy 23 Apr '16

23 Apr '16

When my (Debian's) users upgrade to 2.4.43 or later, if they use the ppolicy overlay and cn=config, I have to add the pwdMaxRecordedFailure attribute to the schema, otherwise slapd can't start. Basic steps: slapcat the config database; a few lines of perl to add the new attribute, update the pwdPolicy object class, and strip out modifiersName and modifyTimestamp so they get regenerated; slapadd it back. No problem for a standalone system. The config database might be replicated, though. For that, I'm also removing entryCSN from the schema entry I modify, and letting slapadd regenerate it. I'm not using -S with slapadd, so the reloaded entry is getting sid 000 every time. I've tested master-slave and master-master setups, and this seems to be working as intended. But I'd like to ask the people here who have more experience with replication than I do: is this a bad plan? What could go wrong? thanks, Ryan

2 1

Export issue after an DN change
by mdii 22 Apr '16

22 Apr '16

I'm having a weird issue with my OpenLDAP directory, maybe some of you had a similar issue in the past and can point me in the right direction, at the moment I have no idea where to start looking... In my directory, the entities are listed in the ou=organisation branch, where the key is the entity label and they have a hierarchic structure, for example: - ou=organisation - ou=entity1,ou=organisation - ou=entity2,ou=entity1,ou=organisation - ou=entity3,ou=entity1,ou=organisation - ou=entity4,=entity3,ou=entity1,ou=organisation - ou=entity5,ou=organisation - ... The issue appears when there is a label change in one of the entities. In this example I will change entity3 by entity33: - ou=organisation - ou=entity1,ou=organisation - ou=entity2,ou=entity1,ou=organisation - ou=entity33,ou=entity1,ou=organisation - ou=entity4,=entity33,ou=entity1,ou=organisation - ou=entity5,ou=organisation - ... When I'm using a directory browser, let's say ApacheDS, I have no trouble, I can see the entire directory tree (as above). My issue is the following: - If I do a LDIF export (using the same ApacheDS), it doesn't export the entity4 entry (or any other entity under entity33) - If I do a Java application that uses a LDAP framework (Spring or UnboundID in my case), I have the same problem, it doesn't see the entity4 entry - I can do an entity4 LDIF export, it works well Meanwhile there is a solution to this issue. If I do the series of operations: - LDIF export of entity4 - LDIF export of entity33 - LDIF export of entity1 - suppression of entity33 (witch includes all entries under it) - Import of entity1 - Import of entity33 - Import of entity4 Once these operations completed, everything goes normal and entity4 will be exported when I do an entity33 LDIF export. One last detail, when I enter the enterprise, the issue was known, and it was told me to export the parent entity of the one that had the label change, that’s why I do the enetity1 export/suppression/import (not only the entity33). Do you have any idea of what's going on? At the moment I have no idea where to start looking at, if I can change some settings or if it's an OpenLDAP know bug. I would like to thank you in advance for any help, Best regards, Marc

2 1

Query regarding Openldap implementation
by Samrin S.N 21 Apr '16

21 Apr '16

Hi There, I have a query on ldap_search_ext_s() API being used. This API is returning operations error and by default the option LDAP_OPT_REFERRALS is default to 1. I feel when we use this API, it tries and finds other referrals present in the AD server configuration forest. Can you please help me in understanding this API behaviour. I have found that even though the requested user is found at one of the referral, again the search is done on other referrals for the same user. What is the significance of trying to search the node in other referrals. Your help is highly appreciated. -- Thanks, Samrin

1 1

How to enable search using wildcard characters
by PRATIK SINGAL 20 Apr '16

20 Apr '16

Hello All, Can any one please help me how can i search using wild card character. My base dn is "dc=example,dc=com" and i want to search all the records having "telephone" attribute whose value is starting from 256* Am using below verion of openldap $OpenLDAP: slapd 2.4.40 Is there any changes which needs to be done in slapd.conf to enable wildcard search Regards, Pratik

3 2

Re: Openldap vs 389
by Shawn McKinney 20 Apr '16

20 Apr '16

> On Apr 19, 2016, at 16:34:27,Achilleas Mantzios wrote: > > I admit I haven’t done my homework regarding the standards (the literature is just huge), maybe I was hasty in using the term RBAC above, but anyway what does Fortress/RBAC give out of the box that our solution wouldn’t, I mean you wouldn’t mind giving a very rough overview ? Not knowing what your solution provides it's not possible for me to give you a comparison and in any case that’s a question for you to decide. If you want to understand fortress, first understand its apis, there are links to javadoc descs at the bottom of this page: https://directory.apache.org/fortress/overview.html If after that you are still interested, checkout the tutorials: - http://github.com/shawnmckinney/apache-fortress-demo - http://github.com/shawnmckinney/role-engineering-sample - http://github.com/shawnmckinney/wicket-sample - http://github.com/shawnmckinney/fortress-saml-demo or some of the collateral that is here: - http://iamfortress.net/2015/06/11/what-is-delegated-administration/ - http://iamfortress.net/2015/03/13/enabling-java-ee-and-fortress-security-in… - http://iamfortress.net/2015/03/05/the-seven-steps-of-role-engineering/ - http://iamfortress.net/2015/02/16/apache-fortress-end-to-end-security-tutor… - http://iamfortress.net/2014/11/24/using-role-for-access-control-is-not-rbac/ Shawn

2 1

memberuid value should be DN or RDN or both woks
by scn_73＠yahoo.com 20 Apr '16

20 Apr '16

All, Openldap is complaining invalid dn. I doubt, it's for group members those memberuid don't have have DN and added as RDN. Like to know does memberuid should be DN or RDN works too. slapd[4892]: conn=1629448 op=2180 do_search: invalid dn (member1) slapd[4892]: conn=1629448 op=2181 do_search: invalid dn (memver2) slapd[4892]: conn=1629448 op=2182 do_search: invalid dn (member2) objectClass: posixGroup objectClass: top cn: g1 gidNumber: xxxx memberUid: member1 memberUid: member2 memberUid: member3 - Sachin

2 1

Best method to swap TLS cert/key/CA files
by ML mail 19 Apr '16

19 Apr '16

Hello, I would like to swap my self signed certificate including CA, cert and key with a new set of CA, cert and key files on my OpenLDAP 2.4.31 master and replica servers. What would be the best way to achieve that? Can I simply run an ldapmodify with the new values and then restart slapd? Is it as easy as that or are there any pitfalls I should take care of? Thank you in advance for your comments. Regards ML

2 2

passwd, proxying, and idassert-authzFrom
by David Magda 19 Apr '16

19 Apr '16

Hello, I have a master OpenLDAP server, with a bunch of slaves, and then Linux clients talking to the slaves. We've used olcUpdateRef/updateref for a while, but have a situation where we need to proxy connection on behalf of clients via the slaves. So we have configured a slapo-chain(5) overlay, with the following settings: olcDbURI: ldap://10.0.0.555/ olcDbIDAssertBind: bindmethod=simple \ binddn="cn=update,dc=example,dc=ca" \ credentials=s3cr3t mode=self olcDbRebindAsUser: TRUE However, when users try to run passwd(1) (with pam_ldap.conf(5) having the "pam_password exop" setting) they get: > LDAP password information update failed: Strong(er) authentication required only authenticated users may change passwords > passwd: Permission denied > passwd: password unchanged On the master, we have: > Apr 12 13:14:00 ops slapd[26119]: conn=16 fd=32 ACCEPT from IP=111.222.333.444:59985 (IP=0.0.0.0:389) > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 BIND dn="" method=128 > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 RESULT tag=97 err=0 text= > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 PASSMOD > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 RESULT oid= err=8 text=only authenticated users may change passwords The (cn=update...) DN has an "authzTo" attribute set to "{0}dn.regex:^uid=[^,]+,ou=People,dc=example,dc=ca". I'm guessing I may need to set idassert-authzFrom (olc equiv?) to something. Is this correct? If so, should it be restricted to ou=People? If not, what am I missing? Thanks for any info. Regards, David

1 1

Re: Openldap vs 389
by Achilleas Mantzios 19 Apr '16

19 Apr '16

On 19/04/2016 13:41, Emmanuel Lécharny wrote: > Le 19/04/16 11:39, Achilleas Mantzios a écrit : >> On 19/04/2016 12:20, Emmanuel Lécharny wrote: >>> Le 19/04/16 10:47, Achilleas Mantzios a écrit : >>>> Hello, >>>> >>>> I have been testing sporadically openldap two years now, including >>>> many advanced features, sql, ppolicy, etc we are currently evaluating >>>> openldap along with redhat's 389 for enterprise use as RBAC, on which >>>> we will built upon our existing infrastructure. We want to have full >>>> password policy enabled, in order to meet requirements for passing SOX >>>> (Sarbanes Oxley) compliance. >>>> 389's documentation is lousy, I haven't tried anything exotic (sql, >>>> etc) with it, the reason we are looking at it is because it is favored >>>> by kolab.org and likely to come as standard in future kolab versions. >>>> So I would like your opinion on this. Pros/Cons to choose openldap or >>>> 389 directory server as our long term strategic decision? >>>> >>> If you are interested in RBAC, know that there is a Java API that >>> implements RBAC at http://directory.apache.org/fortress/ (1.0.0 have >>> just been released last week). It works with OpenLDAP as a backend (and >>> some other LDAP server too). >> Hi I had talked with a SYMAS person some years ago regarding fortress, >> this is also hosted by openldap : http://www.openldap.org/fortress/ >> So who manages fortress? > It has moved to the Apache Foundation 2 years ago. Thanx for the insight. > > >> By the test we had done with openldap it seemed that marginally we >> could meet our password policy requirements. > Here, you will have to tell us more about your requirements. Right, we have an inhouse application running on Java EE, which we have been developing for the last 16 years. We use mostly classic form-based j2ee declarative security. We have been using IBM Lotus Notes Domino Server and its bundled LDAP server, by writing our own login module for Jboss. But lotus's LDAP is of limited potential. Now we need to have the following features : - support password strength and also communicate relevant error codes/messages back to the calling client (e.g. jboss login module) - handle correctly while in period of passwd expiration warning (error codes/messages) - handle correctly after period of passwd expiration, but within the grace limit (error codes/messages) - support password history (error codes/messages) - handle correctly after period of passwd expiration, and also after grace limit (error codes/messages) - account explicitly locked (error codes/messages) - handle pwdMustChange & pwdReset (error codes/messages) - account explicitly locked after pwdMaxFailure (error codes/messages) According to some tests we had done back in 2014, we had it all covered, in theory. Our idea was to have some supplementary roles assigned to the user, denoting of any outstanding state of the account, and then add this role to the user, inside the login module, and then use an hybrid approach of declarative security + some filters + some programmatic security to allow the user to have a full RBAC experience -- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt

2 2

Re: Openldap vs 389
by Achilleas Mantzios 19 Apr '16

19 Apr '16

On 19/04/2016 12:20, Emmanuel Lécharny wrote: > Le 19/04/16 10:47, Achilleas Mantzios a écrit : >> Hello, >> >> I have been testing sporadically openldap two years now, including >> many advanced features, sql, ppolicy, etc we are currently evaluating >> openldap along with redhat's 389 for enterprise use as RBAC, on which >> we will built upon our existing infrastructure. We want to have full >> password policy enabled, in order to meet requirements for passing SOX >> (Sarbanes Oxley) compliance. >> 389's documentation is lousy, I haven't tried anything exotic (sql, >> etc) with it, the reason we are looking at it is because it is favored >> by kolab.org and likely to come as standard in future kolab versions. >> So I would like your opinion on this. Pros/Cons to choose openldap or >> 389 directory server as our long term strategic decision? >> > If you are interested in RBAC, know that there is a Java API that > implements RBAC at http://directory.apache.org/fortress/ (1.0.0 have > just been released last week). It works with OpenLDAP as a backend (and > some other LDAP server too). Hi I had talked with a SYMAS person some years ago regarding fortress, this is also hosted by openldap : http://www.openldap.org/fortress/ So who manages fortress? By the test we had done with openldap it seemed that marginally we could meet our password policy requirements. > > Regarding OpenLDAP, obviously, this list is clearly biased. Now, let's > see what you can find on the Internet : > > http://www.slideshare.net/ldapcon/benchmarks-on-ldap-directories > Thanx! > -- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2016