openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

OpenLDAP Samba4
by Pascal den Bekker 29 Aug '13

29 Aug '13

Hello, I want to use openldap as a backend for Samba4. I set up the openldap with a different port, because samba4 has an own "ldap" server running on port 389. I set up the standard config for samba4 like this: passdb backend = ldapsam:ldap://ldap.example.com:3389 ldap suffix = dc=ldap,dc=example,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=Idmap ldap delete dn = no ldap admin dn = cn=admin,dc=ldap,dc=example,dc=com ldap ssl = no ldap passwd sync = yes idmap_ldb:use rfc2307 = Yes invalid users = root Created also the ou's in openldap, added a couple of users in openldap. Also set the smbpasswd, but everytime when I try to ask the openldap through samba. Im getting: smbldap_search_domain_info: Adding domain info for OPENCHANGE failed with NT_STATUS_UNSUCCESSFUL Do I still need to load the samba.schema in openldap ? And when yes.. How do I do that?? openldap: 2.4.31 samba: 4.0.1 OS: Debian Wheezy Cheers, -- Pascal den Bekker Linux System Administrator Affinitas GmbH | Kohlfurter Straße 41/43 | 10999 Berlin | Germany email: pascal_den.bekker(a)affinitas.de | tel: +49 30 868 000 140 www.edarling.de | www.shopaman.de Geschäftsführer: Lukas Brosseder, David Khalil, Michael Schrezenmaier Eingetragen beim Amtsgericht Berlin-Charlottenburg, HRB 115958

3 3

Object not found
by espeake＠oreillyauto.com 28 Aug '13

28 Aug '13

I have a user name readonly that we use in our applications to get uid's. THis has worked in the past with our old LDAP solution. We have moved to 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup. The slap cat for this database looks like this. dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by s elf write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="o u=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya uto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAddContentAcl: FALSE olcLastMod: TRUE olcLimits: {0}dn.exact="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" time.sof t=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: {1}dn.exact="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" time.so ft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: {2}dn.exact="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" time .soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: uid=admin,dc=oreillyauto,dc=com olcRootPW:: c2VjcmV0 olcSyncUseSubentry: FALSE olcDbCacheSize: 50000 olcDbCheckpoint: 512 30 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 150000 olcDbIndex: objectClass eq olcDbIndex: cn eq olcDbIndex: uid eq olcDbIndex: oreillyGroup eq olcDbIndex: locationEntry eq olcDbIndex: counterNumber eq olcDbIndex: businessCategory eq olcDbIndex: locationNumber eq olcDbIndex: position eq olcDbIndex: title eq,subany olcDbIndex: givenName eq,subany olcDbIndex: functionListing eq olcDbIndex: manager eq olcDbIndex: sn eq,subany olcDbIndex: nickName eq,subany olcDbIndex: employeeNumber eq olcDbIndex: ou eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: supervisor eq olcDbIndex: status eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcHdbConfig entryUUID: 91ce693e-9e13-1032-84c2-0151b658a842 createTimestamp: 20130820183919Z creatorsName: cn=config olcMirrorMode: TRUE olcSyncrepl: {0}rid=004 provider=ldap://tntest-ldap-3.oreillyauto.com b inddn="uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchbase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" tim eout=1 olcSyncrepl: {1}rid=005 provider=ldap://tntest-ldap-1.oreillyauto.com binddn=" uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchb ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=1 olcSyncrepl: {2}rid=006 provider=ldap://tntest-ldap-2.oreillyauto.com binddn=" uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchb ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=1 entryCSN: 20130821193620.549061Z#000000#002#000000 modifiersName: uid=admin,dc=oreillyauto,dc=com modifyTimestamp: 20130821193620Z And the ldap logs show this: Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" mech=SIMPLE ssf=0 Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 RESULT tag=97 err=0 text= Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SRCH base="uid=espeake,ou=Users,dc=oreillyauto,dc=com" scope=0 deref=3 filter="(objectClass=*)" Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=2 UNBIND Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 fd=40 closed We had one issue with this server not running a rebuild last night due to a certificate error of the cacert not being found and we are addressing the through the following article: http://www.mikepilat.com/blog/2011/05/adding-a-certificate-authority-to-the… Searching as the ldapadmin user I find the user. So I am thinking that I need to adjust the ACL here but I'm not seeing what is wrong. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 2

Openldap proxy to Active Directory howto?
by Mike W 28 Aug '13

28 Aug '13

I am attempting to configure an openldap to proxy with AD that needs to "rebind"? as a user I believe. I've been scanning yahoo/google trying to find some documentation of someone detailing that sort of procedure using the olc configs but no luck. Anyone know of such a thing that gives a bit more specific detail to this topic? -- Mike Wilson

1 0

Configure Mirror Mode Replication
by Clint Petty 28 Aug '13

28 Aug '13

Ok, now that I have updated to openLDAP 2.4.36, back to my original question below. Thanks, Clint ------------------------------------------------------------ I am wanting to implement Mirror Mode Replication. I am using OpenLDAP 2.4.23 on CentOS 6.4, which uses cn=config format, that does not have a slapd.conf file. The instructions say to add the following to the slapd.conf file: database bdb suffix dc=Example,dc=com rootdn dc=Example,dc=com directory /var/ldap/db index objectclass,entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 MirrorMode node 1: # Global section serverID 1 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on MirrorMode node 2: # Global section serverID 2 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on Since there is no slapd.conf file, how do I configure replication in a cn=config format? Do I need to run a slapadd or ldapadd command? Syntax? What files do I need to create, and where? Thanks in advance.

2 1

Problems recovering my ldap db
by ghooton＠scins.ie 28 Aug '13

28 Aug '13

Hi all, I am recovering form a disaster. when I do slapcat I can see all the info stored in the ldap db However, when I do ldapsearch I cannot see anything. When I do slapcat -l backup.ldif I get : unclean shutdown detected; attempting recovery recovery skipped in read-only mode. Run manual recovery if errors are encountered I am using Debian 6 2.6.32-5-amd64 and :- ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.23 (Dec 16 2012 11:48:21) $ root@carillon:/tmp/buildd/openldap-2.4.23/debian/build/clients/tools (LDAP library: OpenLDAP 20423) //Ger

2 1

Configure Mirror Mode Replication
by Clint Petty 27 Aug '13

27 Aug '13

I am wanting to implement Mirror Mode Replication. I am using OpenLDAP 2.4.23 on CentOS 6.4, which uses cn=config format, that does not have a slapd.conf file. The instructions say to add the following to the slapd.conf file: database bdb suffix dc=Example,dc=com rootdn dc=Example,dc=com directory /var/ldap/db index objectclass,entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 MirrorMode node 1: # Global section serverID 1 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on MirrorMode node 2: # Global section serverID 2 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on Since there is no slapd.conf file, how do I configure replication in a cn=config format? Do I need to run a slapadd or ldapadd command? Syntax? What files do I need to create, and where? Thanks in advance.

2 1

Slapd - Back-ldap Chain overlay: Proxied Authorization Denied
by Raul Hernandez 27 Aug '13

27 Aug '13

Hello! I've implemented a simple openldap master and consumer architecture. To achieved this, I had to implement back-ldap chain overlay (in order to have a read only "slave"), and syncprov overlay, to synchronize data from master to the slave. This implementation works fine. I have data from the master, replicated into the slave. When I try to modify an object from the consumer using the administrative account "cn=admin,dc=company,dc=com", references the modify command to the master. The master performs the operation and returns the consumer the operation result. When I try to perform any modify operation with another authorized account, I get the following error *LDAP said*:Proxied Authorization Denied*Error number*:0x7b ()*Description*: The account has permission to write the whole tree in both, the master and the slave. Here is my config on both servers: #------- # Master #------- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=comdc=company,dc=com" write by anonymous read by * none olcAccess: {1}to attrs=shadowWarning,shadowMax,shadowMin by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by anonymous read by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by * read #------- # Consumer #------- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov olcModuleLoad: back_ldap dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://192.168.123.139binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" bindmethod=simple credentials=0p3n1d4pPr0d% searchbase="dc=bandes,dc=gob,dc=ve" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on - add: olcUpdateRef olcUpdateRef: ldap://192.168.123.139 dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: chain olcChainReturnError: TRUE olcChainMaxReferralDepth: 1 dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: ldap olcDbURI: ldap://192.168.123.139 olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbProxyWhoAmI: TRUE olcDbNoRefs: FALSE olcDBIDAssertAuthzFrom: * olcDBACLBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% olcDbIDAssertBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% mode="self" flags="prescriptive,proxy-authz-non-critical" Hope someone can help me out! Thanks in advanced

1 0

Replication setup
by Vishesh kumar 27 Aug '13

27 Aug '13

Hi Members, I am good in openldap basics but new in Replication. I am trying to setup replication on CentOS 6 systems. OpenLDAP version is 2.4.23-32.el6_4.1.x86_64. I loaded syncprov module using following ldif file on both the provider and consumer +++++++++ dn: cn=module,cn=config ObjectClass: olcModuleList cn: Module olcModulepath: /usr/lib64/openldap/ olcModuleLoad: syncprov.la +++++++++ I also configured replica database on consumer as following +++++++++ olcsyncrepl: rid=101 provider=ldap://192.168.10.1:389 type=refreshOnly interval= 00:05:00:00 searchbase="dc=l,dc=local" scope=sub bindmethod=simple binddn="cn=Man ager,dc=l,dc=local" credentials=xxxx +++++++++++++++++++++++++++++ Above configuration is not replicating database. Am I missing something? -- Vishesh Kumar

2 1

sambaSamAccount Problem
by felas 27 Aug '13

27 Aug '13

Hi, i have a ldif file with a objectClass: sambaSamAccount objectClass: posixAccount so i add follow this guide: https://help.ubuntu.com/12.04/serverguide/samba-ldap.html the samba.schema and samba.ldif. I restart slapd, but still not found, because if i try to change this: objectClass: inetOrgPerson objectClass: posixAccount it's work.. but with sambaSamAccount not..

1 0

Openldap configuration import LDIF
by felas 27 Aug '13

27 Aug '13

hi, i have install OpenLdap in a UbuntuServer, in virtual with VirtualBox. Now i want to import in Eclipse via Ldap Browser one file LDIF. I have a FQDN like this, ldap.***.***.com, and i add this in /etc/hosts this FQDN with a ip address 192.168.1.156, the ip is my Server. Now the problem, when i try to import Ldif, i have the problem with auth, i know i must change something in a slapd config but what?

5 21

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical