openldap-technical January 2021

openldap-technical@openldap.org

25 participants
27 discussions

Bind to OpenLDAP with a user not in DN format
by gary.algier＠mavenir.com 17 Jan '21

17 Jan '21

Hello, I need to bind sometimes with a username that is not in DN format. I have tried to use authz-regexp to translate it but I am not successful. I have created a few entries and I can authenticate with the Manager DN. I can also authenticate with other entries when I explicitly use a DN, but when I use something that does not start with "dn=", it fails. I have this entry that I want to use for authentication: dn: cn=ServiceAccount(a)old-domain.com,dc=old-domain,dc=Com cn: ServiceAccount(a)old-domain.com sn: ServiceAccount(a)old-domain.com objectClass: person userPassword: {hidden} When I use the full DN as an argument of the -D option of ldapsearch it works. I have this in slapd.conf: authz-regexp uid=([^,]*).*,cn=auth cn=$1,dc=old-domain,dc=Com When I run: slapauth ServiceAccount(a)old-domain.com I see: ID: <ServiceAccount(a)old-domain.com> check succeeded authcID: <cn=ServiceAccount(a)old-domain.com,dc=old-domain,dc=com> So it looks like it can translate. But when I try to use: ldapsearch -x -DServiceAccount(a)old-domain.com ... I get: ldap_bind: Invalid DN syntax (34) additional info: invalid DN I have a system that sends the "service account" for user searches in this format. I.E. not a DN. I can't change the client. Does anyone have any ideas why SLAPD does not translate? Or do I need to turn on a "allow non-DNs" switch? Or is it actually the ldapsearch command that is complaining. If the latter, is there a way to test? Gary

3 4

Support of signing requirement on Windows
by Árpád Nagy 15 Jan '21

15 Jan '21

Hi Team, Does latest release (OpenLDAP 2.4.56) support LDAP signing requirement for Windows 10 / Windows Server 2016? Currently in our project we have a 32 bit Windows Service which use the OpenLDAP libldaplber.dll for simple bind to Microsoft AD server. Now we have a new requirement to support signing requirement on Windows environment (Windows AD). Therefore instead of simple bind we have to use GSSAPI for LDAP bind as I understand. I am relative new with OpenLDAP and my further question is that OpenLDAP supports this scenario on Windows? Thanks in advance! Regards, Arpad

1 0

The NULL into the description (text) error message.
by Pavel Demidov 15 Jan '21

15 Jan '21

Hello, I'm using OpenLdap 2.4.44 with delta-replication. At the master node i get the error messages. RESULT tag=103 err=19 text=Password is in history of old password at the slave node RESULT tag=103 err=19 text= Are any way to get full text message at the slave node Cheers, Paddey

1 0

Replicating users from OpenLDAP server to another
by Harri T. 15 Jan '21

15 Jan '21

Hi, Is it possible to integrate two OpenLDAP servers so that some users (filtered by some criteria) are replicated from one server to another (but not vice versa)? Does OpenLDAP provide some functionalties for this or must I write a cron scheduled shell script utilizing ldapsearch and ldapmodify? Any advice or configuration example is appreciated. Kind regards, Harri

3 4

ldap_modify: Undefined attribute type (17)
by CLARKE, ED C 14 Jan '21

14 Jan '21

Hello, While trying to reset a user's password, I am getting the below error: ldap_modify: Undefined attribute type (17) additional info: pwdReset: attribute type undefined the same script runs fine on our other LDAP server, your thoughts? Here is a copy of the ldif file: dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: xxxxxxxxx Thanks, Ed Ed Clarke Senior Software Engineer Operations Transformation, Real-time Automation & Predictive Insights<http://mysolutions.dev.att.com/GNFO_Solutions/index.jsp> "RAPID" Certified Quality Eng. - ISO 9000/1 Six Sigma - Yellow Belt AT&T Veterans AT&T "ATO" 1010 Pine ST. Shared, St. Louis, MO. 63101 m 636.639.0713 | o 314.335.3158 | ec4397(a)att.com<mailto:ec4397@att.com>

2 1

OpenLDAP proxy to AD but local authentication for search
by Gary Algier 12 Jan '21

12 Jan '21

Hello, I have installed the LDAP Tool Box version of OpenLDAP on Centos8 for the purpose of a proxy to AD. My proxy needs to "translate" from our old AD domain to our new AD domain (I hate company name changes!). We have some software that access our old domain with certain credentials, does searches for groups and users then binds as the appropriate user to authenticate the user. From this legacy system I need to be able to: 1. Bind to the proxy with credentials I can't change. These look like user "special-user(a)old.com". (Not a typical DN, looks more like a user principal). 2. Search a particular subtree for users and bind as that user to authenticate. 3. Search another subtree for groups and use an ad-style membership check to determine who is a user, who is an admin, etc. I need to be able to authenticate for the searching using the above special user, but the proxy operation should use a different set of credentials when searching the backend. I also need to translate subtrees and possibly individual DNs. This is my (sanitized) slapd.conf: ------------------------------------------------- include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args database mdb maxsize 1073741824 suffix "dc=old-domain,dc=com" rootdn "cn=Manager,dc=old-domain,dc=com" rootpw secret directory /usr/local/openldap/var/openldap-data index objectClass eq database meta suffix "dc=old-domain,dc=com" readonly yes protocol-version 3 uri "ldap://dc1:3268,ldap://dc2:3268" suffixmassage "ou=old-tree,DC=old-domain,DC=com" "ou=new-tree,DC=new-domain,DC ------------------------------------------------- I figured out what I think should be done in translating domains, subtrees, etc. What I can't figure out is how to accept the "special-user(a)old.com" on the front and then use another "Service Account" through the backed so I can search for users. Once the frontend rebinds with the user's credentials, that needs to pass through. Can anyone help me have a "split personality" when it comes to authentication? Gary A. Algier E-mail: Gary.Algier(a)Mavenir.com ________________________________ This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security(a)mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You

1 0

delta-syncrepl and accesslog backup
by paul.jc＠yahoo.com 08 Jan '21

08 Jan '21

Hello all, I am migrating to delta-syncrepl and have a couple questions. I currently back-up my data.mdb file for restore purposes (using mdb_copy). Now that I am using delta-syncrepl, do I also need to be concerned with the accesslog data.mdb file in the event of a restore? What is the sync behavior of a consumer if it is configured to use delta-syncrepl and the provider is restored but not the accesslog?(i.e. the accesslog would be new on initial start of slapd after a restore)? Files in question: /var/lib/ldap/data.mdb /var/lib/ldap/accesslog/data.mdb Thanks for any input, Paul

3 3

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2021