openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

Unable to login on client nodes.
by Jayavant Patil 28 Nov '11

28 Nov '11

Hi, I am using openLDAP-2.4.19-4 on fedora 12 machine. I have done all server and client configurations. The directory containing user information is getting available on client nodes(checked by $getent passwd) but I am unable to do $ssh <user-name>@client-node-name it shows Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). My client node .ssh/config file contents are as follows: ForwardX11 yes StrictHostKeyChecking no FallBackToRsh no BatchMode yes ConnectionAttempts 5 UsePrivilegedPort no Compression no Cipher blowfish UserKnownHostsFile /dev/null CheckHostIP no Even I am unable to login on the client node from console(i.e. from client node login window itself), it shows authentication failure message. On client node with $getent passwd, it shows ldap_6:x:514:514:ldap_6:/home/ldap_6:/bin/bash but $cat /etc/shadow doesn't show any password information for user ldap_6. So, how do I know that userPassword attribute information is getting propagated to client nodes? -- Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

1 0

OpenLDAP 2.4.27 RPMs available on LTB-project
by Clément OUDOT 27 Nov '11

27 Nov '11

Hello, I built today RPMs for OpenLDAP 2.4.27, for those who are interested, they are available here: http://ltb-project.org/wiki/download#openldap You can find the description of the RPMs here: http://ltb-project.org/wiki/documentation/openldap-rpm They include an init script described here: http://ltb-project.org/wiki/documentation/openldap-initscript Hope it helps, Clément.

3 3

OpenLDAP Statistics
by Felip Moll 25 Nov '11

25 Nov '11

Hello all, I am new to this list and I would like to ask you a question regarding OpenLDAP. The fact is that I have an OpenLDAP server that receive a lot of operations every day. I have different kind of services that make use of LDAP and bind to this server. In a particular case, there are an ou=Users that contain approx. 200 users with their attributes. I am using also a private LDAP schema developed by me in which I have some extra attributes. Recently we have managed an audit promoted by our government in which a lot of security items had been checked and corrected if had found some issue. One of this security checks was about the management of user passowrds and an other regarding to user accounts. The first one could be satisfied by implementing the ppolicy overlay in LDAP. But in the second one, the audit people imposed us to have a control of which accounts were not being used in the last year, and to delete/backup/etc them if it were the case. The fact is that I searched for ways of gathering statistics of account usage. The alternatives that I found were: First, save the statistics in 2 attributes in each user: lastBind, failedBinds. 1. For each service, whenever a bind from a user has done to LDAP, send a ldapmodify operation for this user and if the bind was successful, write in user.lastBind the timestamp. If it was not, increment failedBinds++. It implies the modification of each service, taking in account that all has to be documented, that in many services the implementation is not trivial, and also taking care of the upgrades of the services. In conclusion, a lot of work and constant modifications and checks. 2. Act on the LDAP server and activate the "overlay accesslog" funcionality. In this case, monitor every bind operation, then create a daemon that reads every X time the LDAP accesslog tree and process it. For each entry processed: - Delete it from the ldap accesslog tree. - Check if the reqResult was 49 (invalid creds.) or 0 (success). - If it was 49, ldapsearch the reqDN who made the bind request, and read his failedBins attribute. Increment it in one, and send a ldapmodify to the user and with the new value of failedBinds. - If it was 0, ldapmodify the reqDN setting the lastBind as reqEnd. I programmed it in C++ and ldapc++ library, and it works. But the fact is that I am not convinced of this solution. It saved us from the audit but for the future there are some problems to take into account: - Deleting the ldap entry every time it's read is bad, because then we cannot use the overlay for delta syncrepl. - Every 10 minutes, ldap deletes the oldest entries, making that in some cases my dameon can fail (treated with an exception, but not cool). - 3000 binds / 10 minutes in normal hours. Up to 40.000 binds in one Monday morning. My question is obvious. Is there any way other than the daemon, the first option, or suicide, to accomplish the requeriments of the audit? How does a big company to register the last bind of every user account, if this account can use many different and heterogenous services? (VPN, FTP, WEBs, propietary software, Windows samba, Linux login, etc.) Best regards, sorry for my bad english and for my big post!. Felip Moll

4 6

Enforce remote SSL/TLS
by Kasper Loopstra 24 Nov '11

24 Nov '11

Dear list, We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients. We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM. Is what we are trying to do possible with OpenLDAP? If so, could someone maybe point us to an example configuration? Thank you for your time, Kasper Loopstra.

3 3

How to remove global slapd config values
by David Donn 24 Nov '11

24 Nov '11

Hi, I set the config value for "directory" to /var/openldap-data in my slapd.conf. But now I would like to remove my setting and just go with the default for this (/var/lib/ldap AFAIK). But I can't seem to get rid of the old value. I have tried removing /etc/openldap/slapd.d/*, /var/openldap-data and /var/lib/ldap/*. Whenever I run "slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d" it complains that /var/openldap-data doesn't exist. How does it even know about this directory any more? I'm using OpenLDAP 2.4.23 on RHEL 6.1. Cheers, David

2 1

Re: Limiting host access
by Jayavant Patil 23 Nov '11

23 Nov '11

Hi, I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes). I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required. On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister <whm(a)stanford.edu> wrote: > > > --On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < > jayavant.patil82(a)gmail.com> wrote: > > Hi, >> >> I am using openldap-2.4.19-4 on fedora 12 machine. My question is as >> follows: >> >> How to restrict a user access to some client nodes? >> >> Please, explain in detail. >> > > It is not clear what you want to do. You need to provide more details > before you will get the answer that you want. > > For example, if you just want to restrict access to the directory from > some nodes, why not use iptables. > > If you are talking about restricting login access to some linux nodes > using PAM, this is probably a better question for a PAM list. Of course, > there will be folks on this list that can answer that question as well, > but not without knowing what you are storing in your directory. > > Bill > > > -- > > Bill MacAllister > Infrastructure Delivery Group, Stanford University > > -- Thanks & Regards, Jayavant Ningoji Patil +91 9923536030.

3 7

Re: OpenLDAP syncrepl woes
by Jeffrey Crawford 23 Nov '11

23 Nov '11

read that already: my original question was the following: Granted the above issues might be explained away in that we don't yet have enough ram on the machines yet, however it does seem to present us with a problem when we notice the discrepancy, how do we during run time re-sync the data from the provider server? I have tried the slapd -c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any good. (I've tried several different values of csn=0 csn=20111114000000.000000Z#000000#000#000000 etc. to no avail) from man slapadd LIMITATIONS Your slapd(8) should not be running when you do this to ensure consis- tency of the database. So how can I have slapd run, respond to what data it has currently yet understand that it will update all it's data with the source provider updating, adding, removing entries as necessary without removing the database first? Thanks Jeffrey On Tue, Nov 22, 2011 at 7:01 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, November 22, 2011 5:50 PM -0800 Jeffrey Crawford > <jeffreyc(a)ucsc.edu> wrote: > > >> Starting slapd with the -c option isn't working or I'm using the wrong >> combination. > > man "slapadd". > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Enable/Disable user account in openLDAP
by Jayavant Patil 23 Nov '11

23 Nov '11

Hi, I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking. Thanks in advance. -- Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

5 11

Problem with sambaAccount user entry
by Darko Marshauzer 23 Nov '11

23 Nov '11

Hi, I have a problem with my shares on a open-e storage. I cannot get the sambaSid of the system. However, the support of open-e advise me to add a test user entry including the objectclass sambaAccount. As I try this I run into a strage behaviour getting an Invalid syntax error. adding new entry "uid=test,ou=people,dc=xxx,dc=xx" ldapadd: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax my test user ldif file is dn: uid=test,ou=people,dc=xxx,dc=xx objectClass: posixAccount objectClass: top objectClass: sambaAccount objectClass: inetOrgPerson uid: test cn: test userPassword: {CRYPT}xxxxxxxxx loginShell: /bin/bash sn: test rid: 3000 uidNumber: 900 gidNumber: 1000 homeDirectory: /home/test I am using openldap server 2.3.43-12.el5_7.9.x86_64 What could be the reason? Normally shouldn´t be a problem, or not? Thanks Darko -- Dipl.-Inf. Darko Maršhauzer Hochschule Reutlingen Robert Bosch Zentrum für Leistungselektronik Alteburgstraße 150 72762 Reutlingen Phone: +49 (7121) 271-7080 Email: Darko.Marshauzer(a)Reutlingen-University.de www.reutlingen-university.de www.rbzentrum.de

1 0

Re: OpenLDAP syncrepl woes
by Jeffrey Crawford 22 Nov '11

22 Nov '11

On Thu, Nov 17, 2011 at 11:47 PM, Howard Chu <hyc(a)symas.com> wrote: > Jeffrey Crawford wrote: >> >> On Thu, Nov 17, 2011 at 9:21 PM, Howard Chu<hyc(a)symas.com> wrote: >>> >>> Jeffrey Crawford wrote: >>>> >>>> On Thu, Nov 17, 2011 at 5:50 PM, Howard Chu<hyc(a)symas.com> wrote: >>>>> >>>>> There ought to be other error messages in your log, immediately >>>>> preceding >>> >>>>> the one you quoted. Post those too. >>> >>>> There really isn't much there but here is an example really not much >>>> around it: (I've modified the usernames only) >>>> >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10706 DEL >>>> dn="uid=user1,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10706 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10707 DEL >>>> dn="uid=user2,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10707 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10708 DEL >>>> dn="uid=user3,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10708 RESULT >>>> tag=107 err=0 text= >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10709 DEL >>>> dn="uid=user4,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: bdb(dc=ucsc,dc=edu): previous >>>> transaction deadlock return not resolved >>>> Nov 17 21:11:55 localhost slapd[1912]: => bdb_idl_delete_key: cursor >>>> failed: Invalid argument (22) >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10709 RESULT >>>> tag=107 err=80 text=entry index delete failed >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10710 DEL >>>> dn="uid=user5,ou=people,dc=ucsc,dc=edu" >>>> Nov 17 21:11:55 localhost slapd[1912]: conn=1478 op=10710 RESULT >>>> tag=107 err=0 text= >>> >>> Strange. The log shows an error occurring while deleting an index. The >>> error >>> message indicates that there was already a deadlock before, but there's >>> no >>> message from the original deadlock, and the indexing code logs *every* >>> error >>> that occurs. Seems more likely a BDB bug. >>> >>> Also your client is broken, it looks like it completely ignored the >>> failure >>> result from the ldapdelete operation, it just went right on to issue >>> another >>> request. > >> ldapdelete was using the -c option so it just continued I've actually >> was able to replicate the error on a small local installation using >> the default openldap install. When I changed it to BDB 4.8 I've yet to >> see the error. So I'm going to run this a few more times and see if it >> does indeed fix things. >> >> Fingers crossed > > Sounds promising. Looking forward to your conclusion. > > Of course, with back-mdb, none of this type of nonsense can ever happen... > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > Things look pretty good since going to bdb 4.8. However for future reference, what is the best way to force a replica to simply discard what it has and reload from the provider ldaps. So far all I can do is remove the database and restart. However this means any record it has yet to see is not available until the replica get to that record. I would rather re-sync in such a way that it looks at each records and re-updates or deletes if it cant find the original record on the provider server. Starting slapd with the -c option isn't working or I'm using the wrong combination. Thanks Jeffrey

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical