openldap-technical May 2016

openldap-technical@openldap.org

39 participants
41 discussions

require authc and SASL GSSAPI
by Christian 09 May '16

09 May '16

Dear list, I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter ldapsearch on the command line. Now I have to do ldapsearch -Y GSSAPI I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I had a way of setting the default SASL auth mechanism on a machine for all users. However, man ldap.conf tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc? Thanks, Christian

3 5

Access auth granularity?
by Dora Paula 09 May '16

09 May '16

Dear List, I've two subtrees that contain user-accounts: ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com. Goal: Users below ou=userA,... should only be allowed to bind using sasl_bind, but not with simple_bind. Whereas users below ou=usersB,... should be allowed to bind using both (or any kind of bind). I searched the documentation but without success. All I found was disallow simplebind and sasl_ssf, but both seem to make no sense in this case: While the first disallows simple_binds globally, the combination of sasl_ssf and access auth is or at least seems contradicting to me. Question: Is it possible to achieve this goal using current openldap release? Thank you very much Dora

3 9

Any naming conventions to be followed wile creating groups/organizations
by Chaitanya Kumar Ch 08 May '16

08 May '16

Hi All, I would like to request you to provide naming conventions document if available. I am looking for better approach to name groups/organizations names with multiple words. For example: Computer Science group can be named as cs, Computer Science, ComputerScience, computer science, computer-science. what is the better way? -- Thank You, Chaitanya Kumar Ch, +91 9550837582

1 0

openldap pwdReset=True pam_authz HP-UX
by Campbell, Courtney 05 May '16

05 May '16

Hopefully someone can help out. I am currently running openldap 2.4 with a provider and two consumers. I have a few Linux hosts and a few HP-UX hosts setup for authentication and sudo. For the most part everything works well. I actually have no issues with Linux hosts. On my HP-UX hosts, I have LDAP-UX integration setup. I am able to authenticate fine. Sudo also works well. My issue is when I set pwdReset=TRUE. Basically The HP-UX boxes just keep prompting for the password again., but never prompting for a new authtok. As part of the implementation on the HP-UX servers, I use pam_authz. I have the following entry set. PAM_NEW_AUTHTOK_REQD:ldap_filter:(pwdReset=TRUE) The way it should work is that it reads and finds that pwdReset is set to true and passes PAM_NEW_AUTHTOK_REQD. But instead I see this entry in the syslog file: error: PAM: Authentication token manipulation error for userXYZ from serverXYZ I take that as actually being PAM_AUTHTOK_ERR being returned. I am not sure if anyone else has any experience with HP-UX LDAP-UX integration and getting it to work with openldap. I feel it is probably something trivial that I am overlooking. Any help would be appreciated. ________________________________ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message.

1 0

ACL needed write privilege to all subtree of "dc=exadel,dc=com"
by Andrei Valoshyn 05 May '16

05 May '16

Hello guys, Currently I have ACL in my slapd.conf file: access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by peername.ip=10.206.179.0%255.255.255.0 read ..... I need write privilege for my group. I made some changes: access to attrs=userPassword,userPKCS12 by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write by self write by * auth access to attrs=shadowLastChange by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write by self write by * read access to dn.subtree="dc=exadel,dc=com" by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write by peername.ip=206.169.37.147 read access to * by peername.ip=10.206.179.0%255.255.255.0 read After that users from LDAP_admins group can edit all. But our Password Change System, where users can change their passwords stopping work properly because users can't login. After I delete access to dn.subtree="dc=exadel,dc=com" by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write by peername.ip=206.169.37.147 read Password Change System start work well, but user from LDAP_admin group lose their write permissions. After that I tried a big amount of configurations options, but have the problem. Please help! -- With Best Wishes Andrei Valoshyn Exadel Inc. System Administrator avaloshyn(a)exadel.com -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.

2 1

Resolved: SASL search-based username mapping succeeds, but auth fails!?
by William B. Clay 05 May '16

05 May '16

I document the resolution here in the hope it may save others from similar embarrassment. Short form: The ldapsearch error termination message: user not found: unable to canonify user and get auxprops meant, at least in this case, that the SASL password database (/etc/ldap/sasl2/sasldb2) did not contain the userid specified by option "-U". This message is distinct from the message issued on a password error for a userid that is present in the database: authentication failure: client response doesn't match what we generated (tried bogus) TLDR: My perplexity was caused by two reasonable (to me at least) misconceptions that falsely reinforced each other: 1. "unable to canonify user" meant a problem more complex than simply "user not found" in the SASL database itself. 2. Execution of a SASL AuthzRegexp LDAP lookup proved that the SASL user password had been successfully checked (i.e., that a -U userid SASL password is checked PRIOR to AuthzRegexp processing). The root cause blunder: omitting the saslpasswd2 option "-f /etc/ldap/sasl2/sasldb2" when creating the SASL userid. This created the ID in /etc/sasldb2 instead. Verifying existence of the ID with sasldblistusers2 (also forgetting option "-f", of course) confirmed that the ID in question was present ... in the wrong place. I apologize to the list for the mistaken post. Bill Clay

1 0

add/load syncprov overlay
by Real, Elizabeth (392K) 05 May '16

05 May '16

Hello, I am setting up multi-master replication between two openldap servers and when I try to add syncprov overlay to my second server I get this error: # ldapmodify -Y EXTERNAL -H ldapi:/// -f 5_addSyncProv.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config" ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax Per the documentation (http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master) you are supposed to add syncprov to the configuration. Here are the contents of the ldif file: dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov Both servers are running RHEL7 and openldap 2.4.40. Please advise! Thank you, Liz Elizabeth.real(a)jpl.nasa.gov

2 2

Enable memberOf attribute
by Chaitanya Kumar Ch 04 May '16

04 May '16

Hi All, I am new to openLDAP. I am trying to enable memberOf attribute for users. I have followed this <http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay…> link but but I am not getting memberOf result whilesearching for attribute using below query: ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=ddharma)" -b dc=test,dc=com memberO *Query Result*: SASL/EXTERNAL authentication started SASL username: gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: cn=dharma,ou=people,dc=test,dc=com *Please find the below attachments:* 1. ldap-structure.PNG : My ldap architecture. user "dharma" is member of twitter, historical, powertarck groups. 2. backend.memberof.ldif 3. backend.refint.ldif Please help me. -- Thank You, Chaitanya Kumar Ch, +91 9550837582

1 0

This week's OpenSSL vulnerabilities
by Howard Chu 04 May '16

04 May '16

If you haven't read https://openssl.org/news/secadv/20160503.txt yet, it's worth taking a look. The ASN.1-related bugs have no impact on OpenLDAP since we use our own liblber for parsing and encoding, and our encoder/decoder are known to be bug-free. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Documentation
by Daniel Howard 02 May '16

02 May '16

Hello, Some thoughts I have had about OpenLDAP Documentation over the weekend .... My overarching concern is one of process. My day job is Ops, and especially at scale a documentation process is critical to success. And what this boils down to is that: - checking documentation is a part of the routine Ops process - refining that documentation so that it is on-point, concise, and relevant is part of the Ops process - when the documentation proves insufficient, the matter can quickly be escalated with Experts - review of documentation is a routine duty of the Experts, and is part of the process of deploying new infrastructure With this framework (paraphrasing ITIL <https://en.wikipedia.org/wiki/Problem_management#Problem_investigation_and_…> and KCS <http://library.serviceinnovation.org/KCS_Practices_Guide_v6>) in mind, some reactions to my experiences with your community and the recent thread: *Efficient Knowledgebase* This is always a tricky nut to crack ... people love Stack Overflow these days ... there's an existing corpus in the mailing lists. One thing I have done in the past is tie in resources with Google ... might be helpful to if this page <http://www.openldap.org/lists/> had a Google custom site search .. I just tried setting one up <https://cse.google.com/cse/create/congrats?cx=015007933238430841659%3Auvkt3…> to search all of the mailing list archives, issue tracker, F-o-M, stackexchange and serverfault "openldap" keywords ... I am underwhelmed at the results but you folks might have some better idea of "hot topics" and strong resources to try. Howard Chu pointed out that he has configured F-o-M to show *him* dates ... maybe this can be the default? ;) If you can get something good running, it makes answering some dumb questions on the list easier .. you can politely point them to the search with the appropriate keywords .. a la "let me google that for you" and the clever ones will catch on ... if you find the search mechanism less than clear, then maybe some of the docs can be tweaked a bit for keyword-matching, or be revised to cover a more general case or an example ... when a user asks me a dumb question, I try to step through how they would get the answer ... sometimes that stepping needs some help on my part, but on a good day I teach a user to fish ... *Ease of Updating Documentation* I had no idea but it looks like anyone can contribute to F-o-M. Nice. Let us, say, however, I had questions or amendments or heck contributions to the quick start guide? http://www.openldap.org/doc/admin24/quickstart.html There's a footer at the bottom that implies the content is five years old and I'd bet $2 based on personal experience that I am not getting good answers from info(a)OpenLDAP.org. A contrast I dealt with recently is, say, this Ansible tutorial <https://github.com/leucos/ansible-tuto> ... at first, it seemed weird to host documentation on github but there on the top page they get to explaining that they are open to community contributions: fork, pull request, &c. I made some modest contribution myself: one of the first pull requests I ever made. Felt great. I then made some amendments to the GWM project, as their documentation is similarly hosted in a format I already know how to contribute to. :) So, Howard Chu says OpenLDAP will never rely on github. Fair enough ... as an aside, I have seen at least one project maintain a github repo as sort of a managed two-way mirror to their traditional repo: this was done by contributors who wanted to hack around on the code in a convenient tool, and then patches are evaluated and brought into not-git core ... which is to say you could, if you desired, use github without relying on it ... but anyway ... this comprehensive document <http://www.openldap.org/doc/admin24/> could have a section on engaging the authors and the process of contributing amendments, maybe linked from the footer, which could have a dynamic bit of code that shows the current year (or last modified year?) so as not to scare anyone that the living documentation is crazy stale. *Documentation as Part of Deployment* This struck me in my recent discussion around troubles with the Quickstart guide: when I went to use the quickstart guide, the documentation did not match the software, because the software had recently been changed. Best practice would be to bundle documentation updates in to the release. If, in my own Operations, I deployed changes to a service without reviewing and amending the Operational documentation, the nicest word I could use to describe that is "messy." *Tone* The attitude I have witnessed and experienced on the mailing list is off-putting. For example, I recently needed to re-order ACL rules, but as part of that I would be changing the order of rules I depended on to make the modification. Classic "lock yourself out of the firewall" setup. So, I used Google, dug around in the documentation, hoped that such a reasonable question would be covered in the F-o-M .. nada .. so, resort to mailing list. At least in this case, I did get a workable answer: <http://www.openldap.org/lists/openldap-technical/201603/msg00057.html> "the operations are atomic. Read this link where I condescendingly link to a decade-old draft spec .. ya moron." In olden times, I was told to go RTFM more politely <http://www.openldap.org/lists/openldap-software/200102/msg00345.html>: "base64 just makes the answer look different, see the mailing list for previous discussions (although you've already tried and failed to find the discussions alluded to..)" People ask questions. Some are lazy or ignorant, perhaps, or really suck at asking useful questions. Some mean well, just don't know where to find the answer, but put some effort into trying to engage constructively ... I deal with folks on this spectrum all the time in my day job, and yes sometimes I want to bite someone's head off, but it doesn't help. It takes some patience and a deep breath and a lot of effort that may not seem worthwhile but when you offer offer friendly advice you gain allies who might stick around and contribute ... if you want to be a surly curmudgeon then you don't gain allies ... My own take would be if a question just looks like lazy crud, offer some gentle advice as to the process of figuring it out "here's a link to our getting support guide" ... if a question sounds like it has been covered somewhat, ask how would that answer be revealed ... how would you search that the questioner did not ... maybe you've got half an answer but it really ought to be fleshed out ... you can task the person asking that once they figure it out, they post the solution in the F-o-M ... Cheers, -danny -- http://dannyman.toldme.com

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2016