Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Matthew Kemp
On Wed, Apr 26, 2017 at 4:12 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> Hi Matthew,
>
> Can you look at follow up#4 to ITS#8008 and see if that helps your
> situation?
>
> --Quanah
>
Hey Quanah! Thanks for reaching out!
Sadly in my case the update is not specifically helpful in my case. I found
the override flag already, but I do not want to use a ProxyAuth and instead
want to bind as the originating user who bound to the consumer. Override
allows a ProxyAuth to be used rather than an anonymous bind, which is
better, but not the intended behavior I want that the documentation seems
to imply is possible.
--
Matt Kemp
Production Engineer
Braintree
6 years, 1 month
Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Quanah Gibson-Mount
--On Monday, April 24, 2017 7:38 PM -0500 Matthew Kemp
<matthew.kemp(a)braintreepayments.com> wrote:
>
>
>
>
> On Thu, Apr 20, 2017 at 6:36 AM, mailing lists <listas.correo(a)yahoo.es>
> wrote:
>
>
>
> Hello,
>
>
> I am testing the chain overlay from a read-only slave (consumer) slapd
> server to a read-write master (provider), but what I am seeing is an
> anonymous bind from the consumer to the provider instead of the
> authorization identity configurated in the chain directive.
>
>
>
>
>
> We're also seeing the same behavior and reported a similar issue last
> month to this list:
> http://www.openldap.org/lists/openldap-technical/201703/msg00047.html
>
>
> I'm hopeful we can track down this issue as it's causing us some issues
> that we'll need to resolve eventually.
Hi Matthew,
Can you look at follow up#4 to ITS#8008 and see if that helps your
situation?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Re: Processing telephone number
by Quanah Gibson-Mount
--On Wednesday, April 26, 2017 9:53 AM +0200 "Angel L. Mateo"
<amateo(a)um.es> wrote:
> Hi,
>
> I have an openldap that stores information of my users. One of the
> fields we are using is telephoneNumber to store the phone number of the
> user.
>
> In this field we are storing now the complete phone number, that is, a
> number like +34 123456789, but now we are deploying applications that
> need just the extension number (the last 4 digits), not the hole one.
>
> Is there any overlay or other option we can use to provide those last 4
> digits of the telephoneNumber attribute without needing to store them in
> another different attribute?
Nope. I'd suggest fixing the application so it does whatever data
manipulation is necessary.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Processing telephone number
by Angel L. Mateo
Hi,
I have an openldap that stores information of my users. One of the
fields we are using is telephoneNumber to store the phone number of the
user.
In this field we are storing now the complete phone number, that is, a
number like +34 123456789, but now we are deploying applications that
need just the extension number (the last 4 digits), not the hole one.
Is there any overlay or other option we can use to provide those last 4
digits of the telephoneNumber attribute without needing to store them in
another different attribute?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 868888337
6 years, 1 month
Password storage policy and DIT organisation
by Andreas Ames
Hi all,
my questions below are more about openldap pragmatics than technical issues; if they are off-topic, please point me somewhere else to ask. As I'm a newbie, please bear with me, if I get things completely wrong.
What I want to achieve using slapd:
a) A centralised authentication service for system accounts of a handful of Linux hosts (libpam-ldapd) and some apache-based webapps (mod_authnz_ldap).
b) Every user has a single password stored in exactly one place in the DIT (single-sign on is not topical in my environment).
c) I would like to have fine-grained control over whether an ldap user has access to a specific host or webapp or not.
Based on that I have got two questions:
1. DIT organisation
Let's assume my suffix is dc=foo. I plan to have ou=Users,dc=foo for storing ldap users with their (unique) passwords and ou=Services,dc=foo to have account information for each of my services; e.g. ou=host1,ou=services,dc=foo to provide posix account information for host1, or ou=webapp1,ou=services,dc=foo for mod_authnz_ldap related information regarding webapp1 etc. I plan to use olcAuthzRegexp to authenticate users below ou=host1,ou=services,dc=foo or ou=webapp1,ou=services,dc=foo against ldap users in ou=Users,dc=foo. Is this a sensible setup or are there better hierarchies to achieve my goals?
2. Password storage policy
(NB: I am using TLS with a self-signed certificate.) Theoretically I would prefer to store hashed passwords. If I understand correctly, olcAuthRegexp only works with SASL and hashed passwords can only possibly work with the PLAIN mechanism (??). So I tried that and simple binding works as expected, when directly binding to an entry with an attribute "userPassword" (i.e. without indirection through olcAuthzRegexp). To get SASL/PLAIN working, I have tried (without success up till now) to use saslauthd. Moreover the authentication path "client -> TLS/TCP/IP -> slapd (SASL/PLAIN) -> Unix Domain socket -> saslauthd -> localhost/TCP/IP -> slapd (simple bind)" seems a little over the top for my use case. So I am wondering, if hashed password storage is really such a good idea. What are the (security) implications of cleartext storage of passwords? Do you have document links discussing this in some depth?
Thanks in advance ...
Mit freundlichen Grüßen / With kind regards / Cordiali saluti,
Andreas
Please consider the environment before you print / Merci de penser à l'environnement avant d'imprimer / Bitte denken Sie an die Umwelt bevor Sie drucken
Bombardier Transportation GmbH.
Vorsitzender des Aufsichtsrats / Chairman of Supervisory Board: Wolfgang Toelsner.
Geschäftsführung / Management Board: Michael Fohrer (Vorsitzender/Chairman), Olaf Berghoff, Dr. Daniel Perlzweig, Konrad Wiebalck.
Sitz der Gesellschaft / Principal Office: Berlin.
Registergericht / Registration Court: Amtsgericht Charlottenburg, HRB 64838.
This e-mail message, and any attachments, may contain information that is confidential and/or privileged. They are intended for the exclusive use of the addressee.
Any other person is strictly prohibited from disclosure, distribution or reproduction. No waiver whatsoever is intended by sending this e-mail.
If you receive this e-mail in error please immediately inform the sender by return e-mail and delete this e-mail message along with all the attachments and destroy all copies.
6 years, 1 month
Re: Manual LDAP 2.4.44 Installation
by Quanah Gibson-Mount
--On Tuesday, April 25, 2017 1:57 AM +0000 Alexandre Vilarinho
<acvoliveira(a)yahoo.com.br> wrote:
> root@Linux-LDAP-SERVER:~# /usr/local/sbin/slapadd -F
> /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif
> 58fe9bea invalid config directory /usr/local/etc/slapd.d, error 2
> slapadd: bad configuration directory!
As per my previous email:
>> Also ensure that directory exists prior to running the command.
Not sure how to be any more clear than that.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by mailing lists
Hello,
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
consumer/10.112.107.53:-------------------------------------
# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
root@consumer:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/freeradius.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/custom.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
moduleload back_ldap.la
moduleload unique.la
moduleload ppolicy.la
moduleload dynlist.la
moduleload memberof.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la
overlay chain
chain-uri "ldap://10.112.107.51"
chain-idassert-bind bindmethod="simple"
binddn="cn=proxyuser,dc=example,dc=com"
credentials="12345678"
mode="self"
flags=non-prescriptive
chain-rebind-as-user TRUE
chain-return-error TRUE
access to *
by * write
serverID 101
allow bind_v2
database mdb
suffix "dc=example,dc=com"
dbnosync
rootdn "cn=Manager,dc=example,dc=com"
rootpw 12345678
directory /var/lib/ldap
maxsize 106300440576
index objectClass eq
index uid eq,sub
index entryCSN,entryUUID eq
loglevel stats
syncrepl rid=101
provider=ldap://10.112.107.51:389
type=refreshAndPersist
searchbase="dc=example,dc=com"
schemachecking=off
bindmethod=simple
retry="60 10 300 +"
binddn="cn=syncrepl,dc=example,dc=com"
credentials=12345678
updateref "ldap://10.112.107.51:389"
provider/10.112.107.51:-----------------------------------
# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
root@provider:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/freeradius.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/custom.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload back_ldap.la
moduleload unique.la
moduleload ppolicy.la
moduleload dynlist.la
moduleload memberof.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la
access to *
by * write
serverID 001
authz-policy to
allow bind_v2
database mdb
suffix "dc=example,dc=com"
dbnosync
rootdn "cn=Manager,dc=example,dc=com"
rootpw 12345678
directory /var/lib/ldap
maxsize 106300440576
index objectClass eq
index uid eq,sub
index entryCSN,entryUUID eq
loglevel stats
limits dn="cn=proxyuser,dc=example,dc=com" size=unlimitedlimits dn="cn=syncrepl,dc=example,dc=com" size=unlimitedoverlay syncprov
syncprov-checkpoint 1000 1
syncprov-sessionlog 150000
syncprov-reloadhint TRUE
now I do an update in the consumer:
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:42198 (IP=0.0.0.0:389)
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(employeeid=759042)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=endwmkhwl60nehf2c)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD attr=description
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 RESULT tag=103 err=8 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 closed (connection lost)
and this is the corresponding log in the provider:
Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 ACCEPT from IP=10.112.107.53:58416 (IP=0.0.0.0:389)
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 BIND dn="" method=128
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD attr=description
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 RESULT tag=103 err=8 text=modifications require authentication
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=2 UNBIND
Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 closed
afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind.
any suggestion about what can be my mistake??
6 years, 1 month
Re: Manual LDAP 2.4.44 Installation
by Quanah Gibson-Mount
--On Friday, April 21, 2017 6:35 PM +0000 Alexandre Vilarinho
<vilarinhomail-dev(a)yahoo.com.br> wrote:
> But from step 9 forward it practically didn't work:
>
>
> 9.Import the configuration database
> You are now ready to import your configration database for use by
> slapd(8), by running the command:
> su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l
> /usr/local/etc/openldap/slapd.ldif
That's a typo in the quickstart guide that's already fixed for the next
release. It would be /usr/local/etc/slapd.d
Also ensure that directory exists prior to running the command.
> 10. Start SLAPD.
> You are now ready to start the Standalone LDAP Daemon, slapd(8), by
> running the command:
> su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config
And here that would also be /usr/local/etc/slapd.d
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Filtered proxy to Active Directory
by Kamenko Pajic
We have Panasonic KX-UTG300B phones (SIP phone) which has LDAP Phonebook
option.
Settings on the phone to make this work are simple:
LDAP Server Address:
LDAP Server Port:
LDAP Authentication ID:
LDAP Authentication Password:
LDAP Search Base:
When I go to LDAP address book on the phone I get thousands of entries
listing not only users with their phone number but also all other entries
like resources, empty lines(???), N/A, Distribution lists .. Etc. in short
probably everything.
There is no way I can set up a filter to filter users only that have phone
number set in AD.
What I need is LDAP proxy server which will be queried by our phones instead
of querying AD Server directly and return filtered list (example: just
entries containing information in "telephoneNumber" attribute)
Is this possible? I've been trying for weeks now with no success.
Please someone, send me sample ldap.conf and slapd.conf configuration files
Thanks
6 years, 1 month
Manual LDAP 2.4.44 Installation
by Alexandre Vilarinho
Hello all,
Recently I've installed LDAP - version 2.4.44 Manually in a Ubuntu 16.04 TLS server.
root@Linux-LDAP-SERVER:~# lsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 16.04.2 LTSRelease: 16.04Codename: xenialroot@Linux-LDAP-SERVER:~#
I followed every step in the official Quick-Start Quide (http://www.openldap.org/doc/admin24/quickstart.html)
But from step 9 forward it practically didn't work:
9.Import the configuration database You are now ready to import your configration database for use by slapd(8), by running the command:su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif
root@Linux-LDAP-SERVER:~# /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif58fa3f94 invalid config directory /usr/local/etc/cn=config, error 2slapadd: bad configuration directory!
root@Linux-LDAP-SERVER:~#
10. Start SLAPD. You are now ready to start the Standalone LDAP Daemon, slapd(8), by running the command:su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config
To check to see if the server is running and configured correctly, you can run a search against it with ldapsearch(1). By default, ldapsearch is installed as /usr/local/bin/ldapsearch:ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Note the use of single quotes around command parameters to prevent special characters from being interpreted by the shell. This should return:dn: namingContexts: dc=example,dc=com
root@Linux-LDAP-SERVER:~# /usr/local/libexec/slapd -F /usr/local/etc/cn=configroot@Linux-LDAP-SERVER:~# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)root@Linux-LDAP-SERVER:~#
What am i doing wrong? Why can't it contact the server, if the installation was ok, with no errors ou warnings...
Regards
6 years, 1 month
