Sorry to re-send to the list, but I'm hopeful someone might have some thoughts on whether this might be possible!
We have an old unsupported application that authenticates users using an LDAP bind. The credential used for authentication (and what all the internal authorizations are tied to) is employee ID. We are moving to LDAP directory that uses email address instead of employee ID as the DN - the employee ID is still present as an attribute in the new directory and the password remains the same. Since I can't modify the problematic application, it’s not going away anytime soon, and it’s the last thing holding up migration to the new directory system, I'm hoping that I can use OpenLDAP as a shim between the application and the new directory to do something like the following:
* Collect credentials (employee_id, password) during bind
* using a privileged service account, search/bind against the new directory to map employee ID attribute to email address DN (like mod_authz_ldap does it)
* return the success/failure as result of original bind
I would appreciate any ideas or pointers if this is possible or if there might be a better way.
Thanks in advance!
-----BEGIN PGP SIGNED MESSAGE-----
what is the best practice or right way to change schemas order for cn=config case?
1. to move file?
2. to ldapmodify?
for the one used to slapd.conf both of ways look weird ... :(
Zeus V. Panchenko jid:email@example.com
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Thanks everyone. I agree it would be ideal to differenaiate this account
from others. So far it's in own OU while standard users are in People.
Seeing an error.
dn: uid=preset,ou=Service Accounts,dc=blah
Enter LDAP Password:
adding new entry "uid=preset,ou=Service Accounts,dc=blah
ldap_add: Object class violation (65)
additional info: invalid structural object class chain
Sorry, I am LDAP padawan.
Though this does work as it's now in the LDAP server:
dn: uid=preset,ou=Service Accounts,dc=blah
title: Password Reset Account
description: Service Account For Resetting Passwords
I will then great this account the ability to write to all users in People
OU. Any security concerns?
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
On Wed, Dec 20, 2017 at 2:07 AM, Michael Ströder <michael(a)stroeder.com>
> MJ J wrote:
> > Service accounts typically use the simpleSecurityObject object class.
> But one needs an appropriate structural object class to add the entry.
> 'simpleSecurityObject' is an auxiliary object class without any naming
> Ciao, Michael.
> > On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth
> > <dod2014(a)med.cornell.edu> wrote:
> >> It seems I created this service account with posixAccount objectClass.
> >> requires uidNumber.
> >> So I need to do some research on what's the appropriate objectClass for
> >> service account. It's used by SSSD and Apache, for example, to perform
> >> binds with our LDAP cluster since we do not allow anon binds. In
> >> ACLs only permit this account, and the Manager, access to read the
> >> directory.
> >> From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I
> >> think I would only need objectClass: account which the service account
> >> already contains. So I could delete the posixAccount objectClass and
> >> uidNumber, gidNumber, homeDirectory, and loginShell?
> >> Thanks,
> >> Douglas Duckworth, MSc, LFCS
I am observing a rather strange issue in the following setup:
* 1 OpenLDAP master server (2.4.31)
* 4 OpenLDAP slave servers (2.4.40)
* The OpenLDAP slaves do forward any update attempt to the master using
the chain overlay / proxyauthz (mainly to update the pwdFailureTime
attribute for ppolicy)
If I try to shut the master down (for maintenance let's say), the slaves
behave properly, then begin to deadlock one after each other after a few
minutes (by deadlock I mean no log output anymore, and any ldapwhoami /
ldapsearch request connects and then times out)
On the attached image, I monitored at the same time one of the slaves
using collectd, to keep an eye on cn=monitor data (the period between
15:24:30 and 15:26:00 has been extrapolated by Grafana, no data is
available at this time since cn=monitor access also deadlocks)
I can see that backload / pending threads and waiters seem to increase
gradually until the server gets unresponsive.
I found nothing on the ML (except
or searching for clues, Is this predictable behavior or and obvious
misconfiguration, or it is an interesting occastion to dig a bit deeper ?
Thanks in advance,
Infrastructure, BU Means @ NBS System
I am trying to configure openLDAP on Centos 6.8 with SSL.
LDAP version :
@(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $
LDAP service is running with ldaps:// support :
ps -ef | grep slap
ldap 22182 1 0 20:07 ? 00:00:00 /usr/sbin/slapd -h
ldap:/// ldaps:/// ldapi:/// -u ldap
root 22193 22118 0 20:07 pts/0 00:00:00 grep slap
netstat -plane | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
0 45649460 22182/slapd
tcp 0 0 :::636 :::* LISTEN
0 45649461 22182/slapd
When I try to do an LDAP search, it fails to connect and the log shows :
Dec 31 13:02:12 slap01 slapd: conn=1119 fd=13 ACCEPT from
Dec 31 13:02:12 slap01 slapd: conn=1119 fd=13 closed (TLS
My /etc/openldap/slapd.conf file has the following lines :
What else do I need to make openLDAP work with my let's encrypt
I've tried adding :
But no success.