openldap-technical

openldap-technical@openldap.org

14 participants
9795 discussions

passwd, proxying, and idassert-authzFrom
by David Magda 19 Apr '16

19 Apr '16

Hello, I have a master OpenLDAP server, with a bunch of slaves, and then Linux clients talking to the slaves. We've used olcUpdateRef/updateref for a while, but have a situation where we need to proxy connection on behalf of clients via the slaves. So we have configured a slapo-chain(5) overlay, with the following settings: olcDbURI: ldap://10.0.0.555/ olcDbIDAssertBind: bindmethod=simple \ binddn="cn=update,dc=example,dc=ca" \ credentials=s3cr3t mode=self olcDbRebindAsUser: TRUE However, when users try to run passwd(1) (with pam_ldap.conf(5) having the "pam_password exop" setting) they get: > LDAP password information update failed: Strong(er) authentication required only authenticated users may change passwords > passwd: Permission denied > passwd: password unchanged On the master, we have: > Apr 12 13:14:00 ops slapd[26119]: conn=16 fd=32 ACCEPT from IP=111.222.333.444:59985 (IP=0.0.0.0:389) > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 BIND dn="" method=128 > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 RESULT tag=97 err=0 text= > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 PASSMOD > Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 RESULT oid= err=8 text=only authenticated users may change passwords The (cn=update...) DN has an "authzTo" attribute set to "{0}dn.regex:^uid=[^,]+,ou=People,dc=example,dc=ca". I'm guessing I may need to set idassert-authzFrom (olc equiv?) to something. Is this correct? If so, should it be restricted to ou=People? If not, what am I missing? Thanks for any info. Regards, David

1 1

Re: Openldap vs 389
by Achilleas Mantzios 19 Apr '16

19 Apr '16

On 19/04/2016 13:41, Emmanuel Lécharny wrote: > Le 19/04/16 11:39, Achilleas Mantzios a écrit : >> On 19/04/2016 12:20, Emmanuel Lécharny wrote: >>> Le 19/04/16 10:47, Achilleas Mantzios a écrit : >>>> Hello, >>>> >>>> I have been testing sporadically openldap two years now, including >>>> many advanced features, sql, ppolicy, etc we are currently evaluating >>>> openldap along with redhat's 389 for enterprise use as RBAC, on which >>>> we will built upon our existing infrastructure. We want to have full >>>> password policy enabled, in order to meet requirements for passing SOX >>>> (Sarbanes Oxley) compliance. >>>> 389's documentation is lousy, I haven't tried anything exotic (sql, >>>> etc) with it, the reason we are looking at it is because it is favored >>>> by kolab.org and likely to come as standard in future kolab versions. >>>> So I would like your opinion on this. Pros/Cons to choose openldap or >>>> 389 directory server as our long term strategic decision? >>>> >>> If you are interested in RBAC, know that there is a Java API that >>> implements RBAC at http://directory.apache.org/fortress/ (1.0.0 have >>> just been released last week). It works with OpenLDAP as a backend (and >>> some other LDAP server too). >> Hi I had talked with a SYMAS person some years ago regarding fortress, >> this is also hosted by openldap : http://www.openldap.org/fortress/ >> So who manages fortress? > It has moved to the Apache Foundation 2 years ago. Thanx for the insight. > > >> By the test we had done with openldap it seemed that marginally we >> could meet our password policy requirements. > Here, you will have to tell us more about your requirements. Right, we have an inhouse application running on Java EE, which we have been developing for the last 16 years. We use mostly classic form-based j2ee declarative security. We have been using IBM Lotus Notes Domino Server and its bundled LDAP server, by writing our own login module for Jboss. But lotus's LDAP is of limited potential. Now we need to have the following features : - support password strength and also communicate relevant error codes/messages back to the calling client (e.g. jboss login module) - handle correctly while in period of passwd expiration warning (error codes/messages) - handle correctly after period of passwd expiration, but within the grace limit (error codes/messages) - support password history (error codes/messages) - handle correctly after period of passwd expiration, and also after grace limit (error codes/messages) - account explicitly locked (error codes/messages) - handle pwdMustChange & pwdReset (error codes/messages) - account explicitly locked after pwdMaxFailure (error codes/messages) According to some tests we had done back in 2014, we had it all covered, in theory. Our idea was to have some supplementary roles assigned to the user, denoting of any outstanding state of the account, and then add this role to the user, inside the login module, and then use an hybrid approach of declarative security + some filters + some programmatic security to allow the user to have a full RBAC experience -- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt

2 2

Re: Openldap vs 389
by Achilleas Mantzios 19 Apr '16

19 Apr '16

On 19/04/2016 12:20, Emmanuel Lécharny wrote: > Le 19/04/16 10:47, Achilleas Mantzios a écrit : >> Hello, >> >> I have been testing sporadically openldap two years now, including >> many advanced features, sql, ppolicy, etc we are currently evaluating >> openldap along with redhat's 389 for enterprise use as RBAC, on which >> we will built upon our existing infrastructure. We want to have full >> password policy enabled, in order to meet requirements for passing SOX >> (Sarbanes Oxley) compliance. >> 389's documentation is lousy, I haven't tried anything exotic (sql, >> etc) with it, the reason we are looking at it is because it is favored >> by kolab.org and likely to come as standard in future kolab versions. >> So I would like your opinion on this. Pros/Cons to choose openldap or >> 389 directory server as our long term strategic decision? >> > If you are interested in RBAC, know that there is a Java API that > implements RBAC at http://directory.apache.org/fortress/ (1.0.0 have > just been released last week). It works with OpenLDAP as a backend (and > some other LDAP server too). Hi I had talked with a SYMAS person some years ago regarding fortress, this is also hosted by openldap : http://www.openldap.org/fortress/ So who manages fortress? By the test we had done with openldap it seemed that marginally we could meet our password policy requirements. > > Regarding OpenLDAP, obviously, this list is clearly biased. Now, let's > see what you can find on the Internet : > > http://www.slideshare.net/ldapcon/benchmarks-on-ldap-directories > Thanx! > -- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt

1 0

Openldap vs 389
by Achilleas Mantzios 19 Apr '16

19 Apr '16

Hello, I have been testing sporadically openldap two years now, including many advanced features, sql, ppolicy, etc we are currently evaluating openldap along with redhat's 389 for enterprise use as RBAC, on which we will built upon our existing infrastructure. We want to have full password policy enabled, in order to meet requirements for passing SOX (Sarbanes Oxley) compliance. 389's documentation is lousy, I haven't tried anything exotic (sql, etc) with it, the reason we are looking at it is because it is favored by kolab.org and likely to come as standard in future kolab versions. So I would like your opinion on this. Pros/Cons to choose openldap or 389 directory server as our long term strategic decision? -- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt

2 2

LMDB: file size increase (due to new free pages) even though write transaction does not add/update items
by Argyrios Kyrtzidis 18 Apr '16

18 Apr '16

Hi, Thank you for making LMDB available. I’m using LMDB on OSX (without MDB_WRITEMAP, so the database file size is relative to the stored data, not the max mapsize). I’ve noticed that write transactions that have a large number of ‘attempted’ updates, but that do not actually make any updates due to MDB_NOOVERWRITE / MDB_NODUPDATA, cause an increase in the database file size, which mdb_stat attributes to an increased number of free pages. This is with latest master of the github mirror. I’m wondering if you have any hints on what I may be doing wrong ? I’d like if possible to avoid the database size increasing if the write pass did not make any updates.

2 5

IP based and FQDN based certificate on same LDAP node
by Prashanth P.Nair 18 Apr '16

18 Apr '16

Hi Currently my LDAP server is having self signed FQDN based SSL certificate .I would like to have IP based SSL certificate for the same node.IS that feasible ? Below certificate issued to FQDN i.e CN=FQN. TLSCACertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/ssl/ldap.pem TLSCertificateFile /etc/ssl/ldap.pem Br/Prashanth.

2 1

ldap_sync(3) function usage
by Frank Crow 18 Apr '16

18 Apr '16

I'm wanting to write a client in C/C++ that does a "refresh and persist" sync search on an entry. I'm looking at the ldap_sync(3) man page and that looks like it would do most things that I need. I can't find any example code that is using that interface, so if somebody could point me to any that does, I'd really appreciate it. I do understand that I need to initialize the API with the ldap_sync_initialize() to get an ldap_sync_t structure. The members of the structure seem straightforward enough but I don't understand how I connect my ldap connection (LDAP*) to this API. How does that work?? Also, I don't understand how the different function typedefs work. I mean that I understand that I need four functions: ldap_sync_search_entry_f my_search_entry(...); ldap_sync_search_reference_function_f my_search_reference(...); ldap_sync_search_intermediate_f my_search_intermediate(...); ldap_sync_search_result_f my_search_result(...); But how does the ldap_sync(3) API become aware of those functions? Or... is there an easier way to do what I want? Looks like the ldapsearch command line tool just adds a control to the search (-E sync=rp) and handles the resulting messages as necessary. Should I be trying to do that instead of using ldap_sync(3)? Thanks, -- Frank

2 1

Possible to have IP based and FQDN based certificate on same LDAP node ??
by Prashanth P.Nair 18 Apr '16

18 Apr '16

Hi All Currently my LDAP server is having self signed FQDN based SSL certificate .I would like to have IP based SSL certificate for the same node.IS that feasible ? Below certificate issued to FQDN i.e CN=FQN. TLSCACertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/ssl/ldap.pem TLSCertificateFile /etc/ssl/ldap.pem Please advise on the same. Br/Prashanth.P

2 2

Question about MDB_INTEGERKEY flag
by Greg Heinrich 16 Apr '16

16 Apr '16

Hello, sorry for being a noob but I have a question regarding the MDB_INTEGERKEY flag. I am using the LMDB library through Lua wrappers from https://github.com/shmul/lightningmdb. I have an LMDB file which was created with keys that are named "key0", "key1", ... When I open the database with mdb_dbi_open(txn, NULL, MDB_INTEGERKEY, & dbi) and enumerate keys with successive calls to mdb_cursor_get(cursor, &key, &val, MDB_NEXT) the key values that I read are the same as in the LMDB (i.e. "key0", ...). Since I am using the MDB_INTEGERKEY flag I was hoping to read keys as 1,2,3, etc. And I thought I would then be able to retrieve entries doing e.g. mdb_get(txn, dbi, "1", &data). Am I doing anything wrong or is MDB_INTEGERKEY just used to enforce integer keys when putting entries? To give my question some background: what I am trying to achieve is to read entries in my LMDB file in random/arbitrary order. Since I have may 10 million entries or more, I do not want to store keys in memory. I'd rather retrieve entries using an index. Is that possible? Note that I do not have control over the key naming convention so keys could be named anything. Thanks! Greg.

2 1

Q: accesslog and replicated changes
by Ulrich Windl 15 Apr '16

15 Apr '16

Hello! I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers? As a matter of fact, I got some new entries today (as if the system knew I wanted to report the problem today ;-)) But he first entry for this month was stamped "20160413051836.000002Z", so there were no entries for almost two weeks. The server has connections from 9 clients with each client having 1 to 64 connections to the server open (so the server does not seem to be very idle). Can anybody share some insights on that? As we use BDB for accesslog, I had a look yesterday, and the "*.bdb" files had an "old date", while the redo log and the "__db.*" files had a current date. I learned that changes done to a file via mmap() doesn't update the modification time of the file on Linux, so maybe the file date doesn't say much. At least the redo log's timestamp of the main database seems to match that of the acesslog database (which seems good). Regards, Ulrich

3 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical