Re: Re: OpenLDAP / Active directory cohabitation
by Clément OUDOT
2017-05-30 8:10 GMT+02:00 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>:
> I have one question: Why is hte AD admin accound needed to authenticate? I see
> a problem with the AD admin password being stored in cleartext in the saslauthd
> configuration...
You don't need AD admin password, you just need a standard AD account
that can read user entries (no write access required).
Clément.
6 years
Re: Antw: Re: OpenLDAP / Active directory cohabitation
by Dan White
On 05/30/17 08:10 +0200, Ulrich Windl wrote:
>>>> Clément OUDOT <clem.oudot(a)gmail.com> schrieb am 29.05.2017 um 20:43 in
>Nachricht
><CAK_oV4-DYo6d=LgWnu7foGkYQ4n9mjHiDbmo1t9uGyJT5e8EFQ(a)mail.gmail.com>:
>> 2017-05-29 19:00 GMT+02:00 Dan White <dwhite(a)cafedemocracy.org>:
>>> On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
>>>>
>>>> I am in a environment where we use both OpenLDAP and Active Directory.
>>>> All Linux servers authenticate against OpenLDAP where we have user group,
>>>> unix group (...)
>>>
>>> Pass-through authentication should work if you're performing simple binds.
>>> Chapter 14 of the admin guide has a good example.
>>
>> You can also find a tutorial here:
>> https://ltb-project.org/documentation/general/sasl_delegation
>
>I have one question: Why is hte AD admin accound needed to authenticate? I see
>a problem with the AD admin password being stored in cleartext in the saslauthd
>configuration...
Here's a simpler approach that does not require storing a password:
https://www.openldap.org/lists/openldap-technical/201106/msg00198.html
This was tested against AD 2003. You may need to use ldaps with newer
versions.
--
Dan White
6 years
ACL and Dynamic Groups
by Ivan Athanazio
Dear Members,
I have a problem that consists in allow a member of a group to manage
accounts that have a value in an attribute.
My organization structure is as the following example:
-Organization
--Branch1
---Branch1-HR
---Branch1-divisionA
---Branch2-divisionB
--Branch2
---Branch2-HR
The way that I figured out to make it work was using Dynamic Lists to group
users that have the attribute value.
So I activated the dynlists overlay and configured it.
My OpenLDAP DIT is as showed bellow:
-dc=something,dc=something2,dc=br
--ou=Group
---cn=s-brach1admin-rw
----dn=uid=user3,ou-People,dc=something,dc=something2,dc=br
---cn=branch1-users (dynamic group that contains DN's of users filtered by
departmentNumber=divisionA or departmentNumber=divisionB)
----dn=uid=user1,ou-People,dc=something,dc=something2,dc=br
----dn=uid=user2,ou-People,dc=something,dc=something2,dc=br
--ou=People
---uid=user1 (attr: inetorgperson departmentNumber=divisionA)
---uid=user2 (attr: inetorgperson departmentNumber=divisionB)
---uid=user3
So, now, I need an ACL that allow members of cn=s-branch1admin-rw to manage
user1, user2 and any other user that is in the dynamic group
cn=branch1-users.
I searched the web and didn't found any result that shows exactly how to
build this ACL. I tried some ways to write it, specially this two forms:
1) access to
dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by
set="[cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br]/member*"
manage
2) access to
dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by
group.exact="cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br"
manage
And some other forms and any of these appears to work.
So, If someone already did it or know about it, can help me with ACL and
Dynamic Groups?
Thanks for the help and for the patience with my long e-mail.
Best regards!
Ivan Athanazio
6 years
Re: SIGPIPE on OS X fix still pending (ITS#8590)
by Quanah Gibson-Mount
--On Thursday, May 25, 2017 3:11 PM +0100 Lorenz Bauer <lmb(a)cloudflare.com>
wrote:
> Hello list / maintainers,
>
> I submitted http://www.openldap.org/its/index.cgi?findid=8590 back in
> February, and it's still pending. Could you have a look and let me
> know if the patch is acceptable?
Hi Lorenz,
Generally, we need secondary confirmation on the patch. I'm not aware of
anyone on the OpenLDAP development team that makes use of OSX, so we're not
really able to do that in this case. Some Apple employees used to lurk on
here, I don't know if they still do. Or perhaps there are others on the
list that can confirm.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years
Re: Can I do this with openldap ?
by Quanah Gibson-Mount
--On Friday, May 26, 2017 12:07 PM +0000 Roelof Wobben
<rwobben(a)hotmail.com> wrote:
>
>
> Thanks all. I use now Ubuntu 17.04 for the client and Ubuntu 16.06 LTS
> for the server.
>
>
>
> So as I understand LDAP can only be used for authentication and for
> autortication I have to look for other software.
LDAP can be used for both authz and authc if the software in question was
well written. If the software in question was poorly written, it probably
won't be possible. But that is not an LDAP limitation, that is a
limitation due to the software developer.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years
Can I do this with openldap ?
by Roelof Wobben
Hello,
My boss wants to run everything from a server.
But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people.
Can I do this with openldap or if it cannot be done , which software can I then use the best.
I work on Ubuntu Server 16.04 LTS.
Regards,
Roelof
6 years
RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount
This is expected to be the final testing call for 2.4.45, with an
anticipated release, depending on feedback, during the week of 2017/05/29.
For this testing call, we particularly need folks to test OpenLDAP with
startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with
the 1.1 series). There is currenly nothing in the test suite that covers
encrypted connections (Although it's on my todo list). To build against
OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT
repository, depending on your build options as the current cyrus-sasl
release does not support the OpenSSL 1.1 series. It can be found at
<https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI and
use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that
is where OpenSSL 1.1 support was added). It can be obtained from
<http://h5l.org/>.
Also new with this release is the ability to run "make its" in the tests/
directory. This will run a specific set of tests around past bugs to
ensure there are no regressions. While I've tested this with modular
openldap builds, it has not been tested with the modules and backends built
into slapd, so there could be some issues in that scenario.
Generally, get the code for RE24:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its run through the regression suite.
Thanks!
OpenLDAP 2.4.45 Engineering
Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533,
ITS#8634)
Fixed libldap to fail ldap_result if the handle is already bad
(ITS#8585)
Fixed libldap to expose error if user specified CA doesn't exist
(ITS#8529)
Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)
Fixed libldap GnuTLS use after free (ITS#8385)
Fixed libldap SASL initialization (ITS#8648)
Fixed slapd bconfig rDN escape handling (ITS#8574)
Fixed slapd segfault with invalid hostname (ITS#8631)
Fixed slapd sasl SEGV rebind in same session (ITS#8568)
Fixed slapd syncrepl filter handling (ITS#8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR
(ITS#8432)
Fixed slapd callback struct so older modules without writewait
should function.
Custom modules may need to be updated for sc_writewait
callback (ITS#8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS#8576)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794)
Fixed slapd-mdb double free with size zero paged result (ITS#8655)
Fixed slapd-meta uninitialized diagnostic message (ITS#8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config
update (ITS#8423)
Fixed slapo-accesslog with multiple modifications to the same
attribute (ITS#6545)
Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428)
Fixed slapo-sssvlv double free (ITS#8592)
Fixed slapo-unique with empty modifications (ITS#8266)
Build Environment
Added test065 for proxyauthz (ITS#8571)
Fix test008 to be portable (ITS#8414)
Fix test064 to wait for slapd to start (ITS#8644)
Fix its4336 regression test (ITS#8534)
Fix its4337 regression test (ITS#8535)
Fix regression tests to execute on all backends (ITS#8539)
Contrib
Added slapo-autogroup(5) man page (ITS#8569)
Added passwd missing conversion scripts for apr1 (ITS#6826)
Fixed contrib modules where the writewait callback was not
correctly initialized (ITS#8435)
Fixed smbk5pwd to build with newer OpenSSL releases
(ITS#8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS#8099)
admin24 fixed typo cn=config to be slapd.d (ITS#8449)
admin24 fixed slapo-syncprov information to be curent
(ITS#8253)
admin24 fixed typo in access control docs (ITS#7341,
ITS#8391)
admin24 fixed minor typo in tuning guide (ITS#8499)
admin24 fixed information about the limits option (ITS#7700)
admin24 fixed missing options for syncrepl configuration
(ITS#7700)
admin24 fixed accesslog documentation to note it should not
be replicated (ITS#8344)
Fixed ldap.conf(5) missing information on SASL_NOCANON
option (ITS#7177)
Fixed ldapsearch(1) information on the V[V] flag behavior
(ITS#7177, ITS#6339)
Fixed slapd-config(5), slapd.conf(5) clarification on
interval keyword for refreshAndPersist (ITS#8538)
Fixed slapd-config(5), slapd.conf(5) clarify serverID
requirements (ITS#8635)
Fixed slapd-config(5), slapd.conf(5) clarification on
loglevel settings (ITS#8123)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement
(ITS#8565)
Fixed slapo-memberof(5) to note it is not safe to use with
replication (ITS#8613)
Fixed slapo-syncprov(5) documentation to be current
(ITS#8253)
Fixed slapadd(8) manpage to note slapd-mdb (ITS#8215)
Fixed various minor grammar issues in the man pages
(ITS#8544)
Fixed various typos (ITS#8587)
LMDB 0.9.20 Release Engineering
Fix mdb_load with escaped plaintext (ITS#8558)
Fix mdb_cursor_last / mdb_put interaction (ITS#8557)
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years