Understanding slapd connections
by Igor Zobin
Hello everyone!
I am struggling to understand what exactly the command lsof -i tcp:389 is
showing.
What exactly is counted as an established connection here?
Can I limit that amount somehow through slapd configuration?
Can I monitor which of those connections shown by lsof are still in use and
which just hang around doing nothing?
Igor.
2 years, 10 months
Re: pwdRESET not working
by Net Warrior
Hello
When I force the expiration changing pwdMaxAge what I can see in the
log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired
password: 0 grace logins
I test the login, I get two warning as configured but the user is
never forced to change it and can login as usual, any hint on this?
I was expecting something like this, this is from my old notes ( 2013
) at that time it worked
You are required to change your LDAP password immediately.
Last login: Wed Feb 13 12:07:38 2013 from server.domain.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user pmorales.
Enter login(LDAP) password:
My sss configuration
# sssd::config
[sssd]
domains = domain
services = nss, pam, ssh, sudo
config_file_version=2
[domain/zebra]
# sssd::provider::ldap
id_provider=ldap
auth_provider=ldap
chpass_provider=ldap
ldap_uri=ldap://openldap.domain.com
ldap_chpass_uri=ldap://openldap.domain.com
ldap_search_base=dc=domain,dc=com
ldap_tls_reqcert=never
ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem
ldap_tls_cacertdir=/etc/openldap/cacerts
ldap_id_use_start_tls=false
ldap_user_search_base=ou=Users,dc=domain,dc=com
ldap_group_search_base=ou=Groups,dc=domain,dc=com
debug_level=6
ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com
ldap_chpass_update_last_change=true
ldap_user_shadow_last_change=shadowLastChange
ldap_pwd_policy=shadow
nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
System-Auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so umask=0077
Password Auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so umask=0077
Thanks
Regards
2018-05-10 11:45 GMT-03:00 Net Warrior <netwarrior863(a)gmail.com>:
> Hi
>
> From time to time I need to reset user passwords when they forget it so I
> want to force them to change it when they connect over ssh, as long as I
> remember this worked before, ( do not remember which openldap version it was
> a long time ) anyway , how can I force user to change their passwords upon
> ssh connection? or is not possible anymore?
>
>
> Thanks
> Regards
>
>
> On 05/08/2018 09:25 AM, Clément OUDOT wrote:
>>
>>
>> Le 03/05/2018 à 16:23, Net Warrior a écrit :
>>>
>>> Hello there guys, when setting the pwsReset to TRUE I cannot login to
>>> the system anymore, just get the permission denied, then I found this.
>>>
>>> https://github.com/pwm-project/pwm/issues/155
>>>
>>> Did I face that bug or maybe it's something else?
>>
>>
>> It's not a bug. If pwdReset is set to TRUE, the BIND will be successful
>> but you will not be allowed to do another operation but changing
>> password. If your application is doing a SEARCH just after the BIND, you
>> will be denied.
>>
>>
>>
>
2 years, 10 months
ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella
Hi all,
while doing some tests to enable accesslog in my directory, I did enable the
overlay and then disabled it because of login problems.
Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN
objectClass: auditModify
structuralObjectClass: auditModify
REQSTART: 20180509102412.000000Z
REQEND: 20180509102412.000001Z
REQTYPE: modify
REQSESSION: 1679
REQAUTHZID: cn=admin,BASEDN
REQDN: cn=gcivitella,ou=users,BASEDN
REQRESULT: 0
REQMOD: description:= description utente gcivitella (update check accesslog)
REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000
REQMOD: modifiersName:= cn=admin,BASEDN
REQMOD: modifyTimestamp:= 20180509102412Z
REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
creatorsName: cn=admin,BASEDN
createTimestamp: 20180509102412Z
entryCSN: 20180509102412.246481Z#000000#000#000000
modifiersName: cn=admin,BASEDN
modifyTimestamp: 20180509102412Z
Now I'm unable to delete them. I get an "invalid DN" error:
ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v
"reqStart=20180509102412.000000Z,BASEDN"
ldap_initialize( ldap://127.0.0.1:389/??base )
Enter LDAP Password:
deleting entry "reqStart=20180509102412.000000Z,BASEDN"
ldap_delete: Invalid DN syntax (34)
additional info: invalid DN
Is there a way to force the deletion or temporary disable the schema check?
Best regards,
Giuseppe
2 years, 11 months
Schema for a sql->ldap server
by James Cloos
I wonder if anyone can offer some tips on how the ldap schema should
look for the setup below.
The docs for how to use openldap's sql backend are good; it is only the
schema I'm unsure of.
The data currently resides in a sql db, and some users have devices
which can access data via ldap.
One table has data similar to what would work for inetOrgPerson,
except that email addresses and inet domains are not guaranteed.
Another table has data specific to each device; we'd want the devices to
use that name/pw tuple to access the ldap data. Not the person-specific
name/pw tuple.
The end-users will primarily be interested in contact details for people
from the first table.
Also, the sql covers multiple customers, and each device should only see
the data from the customer with which it is associated.
Generating a dn for each company is the first issue.
Does it work to just use the company name w/o any hierarchy?
I presume that the device's will also need a dn, to use their name/pw
tuples for access, yes? I'm also unsure how to define those DNs.
Is there any good references for doing ldap w/o using internet concepts
for the naming?
-JimC
--
James Cloos <cloos(a)jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
2 years, 11 months
ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella
Hi all,
while doing some tests to enable accesslog in my directory, I did enable the
overlay and then disabled it because of login problems.
Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN
objectClass: auditModify
structuralObjectClass: auditModify
REQSTART: 20180509102412.000000Z
REQEND: 20180509102412.000001Z
REQTYPE: modify
REQSESSION: 1679
REQAUTHZID: cn=admin,BASEDN
REQDN: cn=gcivitella,ou=users,BASEDN
REQRESULT: 0
REQMOD: description:= description utente gcivitella (update check accesslog)
REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000
REQMOD: modifiersName:= cn=admin,BASEDN
REQMOD: modifyTimestamp:= 20180509102412Z
REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
creatorsName: cn=admin,BASEDN
createTimestamp: 20180509102412Z
entryCSN: 20180509102412.246481Z#000000#000#000000
modifiersName: cn=admin,BASEDN
modifyTimestamp: 20180509102412Z
Now I'm unable to delete them. I get an "invalid DN" error:
ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v
"reqStart=20180509102412.000000Z,BASEDN"
ldap_initialize( ldap://127.0.0.1:389/??base )
Enter LDAP Password:
deleting entry "reqStart=20180509102412.000000Z,BASEDN"
ldap_delete: Invalid DN syntax (34)
additional info: invalid DN
Is there a way to force the deletion or temporary disable the schema check?
Best regards,
Giuseppe
2 years, 11 months
Search only few subtrees under baseDN
by Ervin Hegedüs
Hi,
may be the subject doesn't give back my real quastion... and may
be this is a returned topic... sorry.
Scenario: there is a database with several DC's, all DC's divided to
several OU's, and most OU contains several other OU's.
dc=hu
+ dc=company1
+ dc=company2
+ dc = sub-company21
+ ou = orgunit1
+ ou = orgunit2
+ ou = orgunit3
and there are several users.
Take a look two examples:
uid=admin1,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to
read the ou=orgunit1 and ou=orgunit2.
uid=admin2,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs
to read full dc=sub-company21 subtree.
All of them are WORKING now as well with ACL's.
But now, the admin1 user needs to set up two different connections
in GUI browser, because he can't set up the
dc=sub-company21,dc=company2,dc=hu as baseDN.
When he uses the search through API, then he needs to make 2
different lookup to collect all nodes from DB, and merge them.
Is there any way to set up one or more ACL's, where admin1 user
can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and
can start to search from there, but he will see the entries only
from ou=orgunit1 and ou=orgunit2?
Hope that's clear...
Thanks,
a.
2 years, 11 months
How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk
/-----------------------------------\
| master1 <- mirror repl -> master2 |
\-----------------------------------/
^ ^ ^
| | |
syncrepl syncrepl syncrepl
| | |
/-------\ /-------\ /-------\
|cache01| |cache02| ... |cache n|
\-------/ \-------/ \-------/
The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers.
I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute.
What is the recommended way generate the memberOf attribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.
2 years, 11 months
About Openldap's functional testing
by 郦旺
To whom it may concern,
I am a student who is interested in software reliability. After read the Administrator's Guide, I only found the tests like “make test” to test the build before installation.
For the reason that I need to do some experiments, I wonder if there are some official functional tests against an existing Installation of OpenLDAP.
Thanks,
Wang
2 years, 11 months
How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk
/-----------------------------------\
| master1 <- mirror repl -> master2 |
\-----------------------------------/
^ ^ ^
| | |
syncrepl syncrepl syncrepl
| | |
/-------\ /-------\ /-------\
|cache01| |cache02| ... |cache n|
\-------/ \-------/ \-------/
The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers.
I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute.
What is the recommended way generate the memberOf atribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.
2 years, 11 months
