openldap-technical

openldap-technical@openldap.org

4 participants
9973 discussions

Controlled LDAP Proxy/Relay
by W.Siebert＠t-systems.com 25 Jun '12

25 Jun '12

Hello, thanks for your answer. But I don't have any local users. All users are in two targets: domain01.com and domain99.net (AD). Where I should place userPassword attribute? My problem: We have a VoIP realized by Cisco Unified Call Manager (CUCM). There are several thousand users in the customers directory (domain01.com) using CUCM for Voice and ca 100 adminusers in the supplier directory (domain99.net). No trusting, different companies. Because CUCM can use only one directory to authenticate users I've implemented a OpenLDAP Metadirectory that proxying this 2 Microsft AD targets. But meta backend tries to authenticate by the first target, if the user was not found, by the second. Result: Intrusion detection register a lot of unsuccessfully login attempts. Therefore my question: Is it possible to implement the controlled proxy with OpenLDAP ? E.g., like Radiusproxy based on realm: when username is _xxx(a)domain01.com_<mailto:_xxx@domain01.com_> go to the target1, and when username is _xxx(a)domain99.net_<mailto:_xxx@domain99.net_> go to the target2. Can you help me please Kind regards Waldemar ################################################################ On 08/02/2012 09:58, W.Siebert(a)t-systems.com<mailto:W.Siebert@t-systems.com> wrote: > Is it possible to implement the controlled proxy with OpenLDAP ? > E.g., like Radiusproxy based on realm: when username is > _xxx(a)domain01.com_<mailto:_xxx@domain01.com_> <mailto:xxx@domain01.com> go to the target1, and > when username is _xxx(a)domain99.net_<mailto:xxx@domain99.net<mailto:_xxx@domain99.net_<mailto:xxx@domain99.net>> go to the target2. Yes, a combination of meta database config in slapd.conf and appropriate SASL config. In your schema, use the following in userPassword: userPassword: {SASL}xxx@DOMAIN where DOMAIN is whichever domain the user needs to be authenticated against. In slapd.conf: database meta suffix dc=local rootdn cn=administrator,dc=local rootpw secret # domain01 uri ldaps://domain01.com:3269/ou=domain01.com,dc=local lastmod off suffixmassage "ou=domain01.com=local" "dc=domain01,dc=com" idassert-bind bindmethod=simple binddn="cn=binder,dc=domain01,dc=com" credentials="password" flags=non-prescriptive idassert-authzFrom "dn.exact:cn=administrator,dc=local" # domain02 uri ldaps://domain02.com:3269/ou=domain02.com,dc=local lastmod off suffixmassage "ou=domain02.com=local" "dc=domain02,dc=com" idassert-bind bindmethod=simple binddn="cn=binder,dc=domain02,dc=com" credentials="password" flags=non-prescriptive idassert-authzFrom "dn.exact:cn=administrator,dc=local" In saslauthd.conf you need to create the appropriate search base for authentication based on the domain in the userPassword field: ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta ldap_search_base: ou=%d,dc=local ldap_filter: (sAMAccountName=%U) ldap_auth_method: bind ldap_bind_dn: cn=administrator,dc=local ldap_password: secret ldap_deref: never ldap_use_sasl: no Hopefully this is enough info to get you going. -- Liam Gretton liam.gretton(a)le.ac.uk<mailto:liam.gretton@le.ac.uk> HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

2 3

Ldap filter to get group members
by dhanushka ranasinghe 25 Jun '12

25 Jun '12

Hi... guys i have a LDAP server and its has a group called . cn=internal ou=group,dc=example,dc=com --users of this group is : uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com i need to only to authenticate the users under cn=internal .... LDAP search for the cn=internal group as follows , dn: cn=internal,ou=group,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: internal member: uid=user1,ou=user,dc=example,dc=com member: uid=user2,ou=user,dc=example,dc=com member: uid=user3,ou=user,dc=example,dc=com member: uid=user4,ou=user,dc=example,dc=com by the way All the users are stored at base OU=user,DC=example,DC=com This is what we are using (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com)) seems like its not working .. what the LDAP search filter i need to use to get only the members of the cn=internal group authenticated... Thanks

3 4

Reject requests on non-secure connections
by Terry Gardner 23 Jun '12

23 Jun '12

Is it possible to configure the server to reject requests on non-secure connections with the exception of the StartTLS extended request? In other words, when an LDAP client connects on the clear-text port, can the server be configured to reject all requests on that exception except for the StartTLS extended request in order to prevent clients from transmitting data in the clear?

2 1

Full Backup/Restore slapd
by galemberti greg 22 Jun '12

22 Jun '12

Hi, I want to implement a full backup procedure of my LDAP (schema, ACL, Data ...). * To save my schema i used the command: "slapcat -H ldap:///cn={4}my,cn=schema,cn=config -l schema.ldif" * To save my config, i used the command: "slapcat -H ldap:///olcDatabase={1}hdb,cn=config = config -l config.ldif * To save my accounts, i used the command: "slapcat -H ldap:///dc=my,dc=my -l accounts.ldif Now, when I want to test the restore on another server : * To restore my schema i used the command: "sudo -u openldap slapadd -v -b cn=config -l schema.ldiff " > OK * To restore my accounts i used the command: "sudo -u openldap slapadd -v -c -b cn=config -l accounts.ldiff " > OK * To restore my config i used the command: "sudo -u openldap slapadd -v -c -b olcDatabase={1}hdb,cn=config -l config.ldiff > KO. Indeed the slapadd command does not update the record so I get an error because they already exist. Also, how do I restore my configuration? Tks for your help PS : i use a debian squeeze server.

3 3

Subtree replication: when removing object outside of subtree, contextCSN is not updating!
by Konstantin Menshikov 21 Jun '12

21 Jun '12

Hi. I have replication setup, when i replicate not entire tree, but only part of it. Configuration provider and consumer attached. I use openldap-server-2.4.31 and db47-4.7.25.4 While adding object outside of the replicated subtree: e.g. ou=TestBranch1,dc=example,dc=com contextCSN of dn dc=example,dc=com on consumer server updated, ok. But while removing object, contextCSN not updated! Is it expected behavior or not? At first I added object *ou=hosts,ou=TestBranch2,dc=example,dc=com*.1 After I removed object. Provider log: Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SRCH base="ou=hosts,ou=TestBranch2,dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SRCH attr=hasSubordinates objectClass Jun 22 06:37:53 ro1 slapd[62268]: conn=1002 op=52 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=53 ADD dn="ou=hosts,ou=TestBranch2,dc=example,dc=com" Jun 22 06:37:54 ro1 slapd[62268]: slap_queue_csn: queing 0x7ffffe3fb100 20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=53 RESULT tag=105 err=0 text= Jun 22 06:37:54 ro1 slapd[62268]: slap_graduate_commit_csn: removing 0x80191bfd0 20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SRCH base="ou=hosts,ou=TestBranch2,dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SRCH attr=hasSubordinates objectClass Jun 22 06:37:54 ro1 slapd[62268]: conn=1002 op=54 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 22 06:38:01 ro1 slapd[62268]: conn=1002 op=55 DEL dn="ou=hosts,ou=TestBranch2,dc=example,dc=com" Jun 22 06:38:01 ro1 slapd[62268]: slap_queue_csn: queing 0x7ffffebfc590 20120622063801.799710Z#000000#000#000000 Jun 22 06:38:01 ro1 slapd[62268]: conn=1002 op=55 RESULT tag=107 err=0 text= Jun 22 06:38:01 ro1 slapd[62268]: slap_graduate_commit_csn: removing 0x802738970 20120622063801.799710Z#000000#000#000000 Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SRCH base="ou=TestBranch2,dc=example,dc=com" scope=1 deref=3 filter="(objectClass=*)" Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SRCH attr=hasSubordinates objectClass Jun 22 06:38:02 ro1 slapd[62268]: conn=1002 op=56 SEARCH RESULT tag=101 err=0 nentries=2 text= Consumer log: Jun 22 06:37:54 ro2 slapd[62298]: do_syncrep2: rid=111 LDAP_RES_INTERMEDIATE - NEW_COOKIE Jun 22 06:37:54 ro2 slapd[62298]: do_syncrep2: rid=111 NEW_COOKIE: rid=111,csn=20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro2 slapd[62298]: slap_queue_csn: queing 0x8019eca90 20120622063754.599740Z#000000#000#000000 Jun 22 06:37:54 ro2 slapd[62298]: slap_graduate_commit_csn: removing 0x8019ec2b0 20120622063754.599740Z#000000#000#000000 -- Konstantin Menshikov

1 0

ACLs being ignored with rwm/relay
by Tim Watts 21 Jun '12

21 Jun '12

Hi, Sorry - can't figure this out - would welcome any ideas :) The slapd.conf below contains an ACL: access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none which works fine on the "real" DN dc=dighum,dc=kcl,dc=ac,dc=uk - I can add extra attrs like homeDirectory and an unauth'd ldapsearch will not list them - eg: ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=dighum,dc=kcl,dc=ac,dc=uk However, an ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk lists the "virtual copy" tree AND includes the userPassword attr for each entry which of course, is rather bad. Anyone see why the ACLs are not being applied to the results of the relay/rwm section? Many thanks, Tim slapd.conf ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel -1 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 allow bind_anon_cred bind_anon_dn update_anon backend hdb #backend <other> overlay rwm rwm-rewriteEngine on # Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" ####################################################################### # Specific Directives for database dighum # database hdb suffix dc=dighum,dc=kcl,dc=ac,dc=uk rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" rootpw "CENSORED" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 ####################################################################### # ACLs # access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by self write by * read ####################################################################### # Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): #database <other> #suffix "dc=debian,dc=org" -- Tim Watts Personal Blog: http://www.dionic.net/tim/

4 10

authentication problem
by Chris 21 Jun '12

21 Jun '12

Hi I use openldap to do authentication on RHEL 6 machines. The problem I'm having is that 2 users doesn't get authenticated. When I do a getent passwd for these users it is as if they doesn't exist but a "ldapsearch -x" shows them. I would appreciate it if someone can point me int the right direction.

4 6

Replication and acl: moddn operation problem.
by Konstantin Menshikov 20 Jun '12

20 Jun '12

Hi. I have replication setup . Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL. Master configuration: access to dn.subtree="ou=users,o=company" attrs=userPassword by anonymous auth access to dn.base="o=company" by dn.exact="uid=replica,ou=users,o=company" read access to dn.subtree="ou=dev,o=company" by dn.exact="uid=replica,ou=users,o=company" read ####################################################################### # BDB database definitions ####################################################################### database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw password directory /var/db/openldap-data/o=company overlay syncprov Slave configuration: ####################################################################### # BDB database definitions ####################################################################### database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw password directory /var/db/openldap-data/o=company syncrepl rid=001 provider=ldap://ro1.devel.ldap.company.ru:389 type=refreshAndPersist retry="5 10 300 +" searchbase="o=company" scope=sub schemachecking=off starttls=critical bindmethod=simple tls_reqcert=never binddn="uid=replica,ou=users,o=company" credentials="password" Replication works. When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server e.g. operation on master server: dn: ou=groups2,ou=dev,o=company changetype: moddn newrdn: ou=groups2 deleteoldrdn: 1 newsuperior: ou=corp,o=company This object is not deleted and contextCSN is not updated on the replica. Is it expected behavior or not? -- Konstantin Menshikov

2 7

adding schema to master
by Stefano Zanmarchi 20 Jun '12

20 Jun '12

Hi, our master slapd (openldap 2.4.26 on RHEL 5.6) has just one slave, same version, not easily modifiable since not directly under our control. We need to have some more attributes in the master and don't need them to be replicated to the slave. Can I safely add a new schema in the slapd.conf of the master, without doing anything to the slave? Thanks a lot for your help, Stefano

2 1

Re: PAM authentication and PPolicy issues
by Clément OUDOT 20 Jun '12

20 Jun '12

2012/6/20 Francesco Belli <Francesco.Belli(a)vegaspace.com>: > Hi Clement, > I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says "Specifies the password change protocol to use", so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM. Password scheme used in LDAP directory do not prevent any application to authenticate to LDAP. Dig into logs to see what is the real reason of your problem. Clément.

4 4

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical