openldap-technical

openldap-technical@openldap.org

3 participants
9937 discussions

when use overlay translucent error
by daydayeat 03 Jun '11

03 Jun '11

openldap-2.4.23 man slapo-translucent says: If neither translucent_local nor translucent_remote are specified, the default behavior is to search the remote database with the complete search filter. If only translucent_local is specified, searches will only be run on the local database. Likewise, if only translu- cent_remote is specified, searches will only be run on the remote database. In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client. but when i test： local proxy conf: ####################################################### # Primary database definitions ####################################################### ###################################################### #databse bdb ##################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=test,dc=com" rootpw "123456" directory /usr/local/ldap/var/openldap-data index objectClass eq ###################################################### #overlays ###################################################### overlay translucent #translucent_remote street #translucent_local street uri ldap://remote:388 lastmod off idassert-bind bindmethod=simple binddn="cn=Manager,dc=test,dc=com" ###################################################### remote conf: ####################################################### # Primary database definitions ####################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=ec,dc=com" rootpw "123456" directory "/usr/local/ldap1/var/openldap-data" index objectClass eq ####################################################### remote database have a entry: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: remote and in the local database change the street value: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: local then change the value "translucent_remote and translucent_local" in the local proxy conf。Do search in local: 1 set "translucent_local street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" the result is: # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: street=local # requesting: ALL # # 111, GF3, ec.com dn: o=111,o=GF3,dc=ec,dc=com objectClass: organization o: 111 street: local It is right. 2 set "translucent_remote street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why? 3 do not set any "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why?

2 1

Authenticate with smartcard or other certificate
by Thomas Gäbler 03 Jun '11

03 Jun '11

Hi @ all, is it possible, to authenticate with any kind of certificate (smartcard, softwaretoken, ...)? Now, I have the following solution: I have an additional attribute for the serialNumber of the certificate stored in the ldap-entry. If a user will auth with certificate, i search for all entries, where the serial-attribute match. for the matching entries i read the certificate from ldap and check the public key. but for an other implementation i need a possibility to auth directly with certificate. Any idea? Thanks for help! procilon IT-Solutions GmbH Leipziger Stra�e 110 04425 Taucha bei Leipzig tel: +49 34298 4878-10 fax: +49 34298 4878-11 www.procilon.de Sitz der Gesellschaft: Leipziger Stra�e 110, 04425 Taucha bei Leipzig Amtsgericht Leipzig HRB 18003 , Gesch�ftsf�hrer Steffen Scholz Diese E-Mail kann Betriebs- oder Gesch�ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt�mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf�ltigung oder Weitergabe der E-Mail ausdr�cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

2 1

OpenLDAP search filters
by Anita Luca 03 Jun '11

03 Jun '11

Hello all, I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with). Below the queries on AD: User search filter: (objectClass=user) User attribute: sAMAccountName User browse filter: (|(objectClass=user)(objectClass=organizationalUnit)) Group search filter: (objectClass=group) Group attribute: member Group browse filter: (|(objectClass=group)(objectClass=organizationalUnit)) User member of attribute: memberOf OU search filter: (objectClass=organizationalUnit) Hope you can help with a suggestion, or at least a list of properties and values for objects, where I could search. Thanks, Anita Luca

3 3

ldapsearch and sambaAcctFlags
by Dennis Leeuw 03 Jun '11

03 Jun '11

Hi all, I am using SAMBA with OpenLDAP. And I wanted to find the computer trust accounts within the LDAP tree. These are identified by having the S type set in the sambaAcctFlags field. In LDIF format this looks like this: sambaAcctFlags: [S ] The initial search was: ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=*S*))' dn This revealed nothing. Which I knew for sure is incorrect. To test I used: ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=[S ]))' dn which returned the DNs of the trust accounts. Searching for: ldapsearch -x -LLL '(&(objectClass=device)(sambaSID=*1-5-21*))' dn also returned all DNs, so it is not a generic search filter problem. It seems to be related to [] and spaces. On the sambaAcctFlags search it doesn't matter if I replace [ and/or ] for * or the spaces for *, nothing is returned. The only working search is searching for the entire string. Am I doing something wrong? Or is this a bug in the search filter system? With kind regards, Dennis Leeuw

3 2

Strange hang scenario, resumes after idletimeout, but plenty of FDs available
by Kartik Subbarao 03 Jun '11

03 Jun '11

I'm running into the following scenario. Shortly after slapd gets bombarded by a burst of operations (from several different clients) on existing connections (well under the max number of connections, about 3000 out of 16384), it suddenly hangs. It's not responsive to any new connections, and doesn't process operations on existing connections. Load average is near zero during this time, so it's not doing anything. After 20 minutes (idletimeout), slapd frees several connections (maybe say 1000), and resumes working again as if nothing happened. The load pattern that gets it into this state happens every hour, almost on the hour (most likely associated with nslcd and cron jobs, which we're looking to mitigate elsewise). Another strange thing is that slapd will survive one instance's worth of bombardment without hanging, but the *next* hour will go into a hang state. Are there any resources other than file descriptors that are freed up during the idletimeout processing? Are there any other parameters that can be tuned besides idletimeout here? Could it possibly be a case of deadlock somewhere, something grabbing all the locks? Would things like set_lk_max_locks be relevant to investigate here? Any log level settings that might reveal more of what's happening here? Thanks for any suggestions on things to look at and try. -Kartik

4 12

ACL Problem?
by Nanoic Dalflanlun 03 Jun '11

03 Jun '11

I'm still seeking assistance. Something I noticed is that slapd appears to be ignoring the logging detail parameter regardless of whether I run it on Windows or CentOS. I tried setting the detail level to "any" and never had anything logged. Thanks, Nanoic ---------- Forwarded message ---------- From: Nanoic Dalflanlun <nanoic(a)gmail.com> Date: Tue, May 17, 2011 at 7:40 PM Subject: Restricted Active Directory Proxy for SaaS Vendors To: openldap-technical(a)openldap.org I am trying to setup an OpenLDAP server in my DMZ to proxy requests from Software as a Service vendors to my internal Active Directory domain. Specifically, I want to disallow anonymous access; make access read only; and restrict access to return only displayName, distinguishedName, mail, proxyAddresses, member, memberOf, mailNickname, and homeMDB. I also need to provide authentication capability for single sign on at the vendor. I don't think I have a proper understanding of OpenLDAP's ACLs, yet, so I am probably missing some things. I may even be approaching this completely wrong. I suspect I need to add "auth" access somewhere. Currently, I receive "result: 50 Insufficient access" when I try to query the OpenLDAP server. I don't have an authentication trace yet from the SaaS vendor, but it if it work like Cisco Ironport, it will try to bind to the LDAP server using the user's supplied credentials and look for a success, then switch back to using the LDAP query account. Thanks for any assistance, Nanoic -------------------------Begin slapd.conf------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/saas.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/openldap.log loglevel none #Disallow anonymous binds disallow bind_anon #### Define access to Active Directory database ldap # Set proxy to read-only readonly on suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rebind-as-user #List domain controllers to access. ldap for non-SSL/debug & ldaps for SSL/production uri "ldap://DomainController1" uri "ldap://DomainController2" lastmod off # set chase-referrals to no to keep from querying all DCs chase-referrals no ### access lists # Allow defined access to Active Directory, deny all others. access to dn.subtree="dc=example,dc=com" attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB by dn.exact="CN=saasqueryacct,OU=Service Accounts,DC=example,DC=com" read by * none # Deny access to all undefined resources by all undefined users access to * by * none -------------------------End slapd.conf------------------------- -------------------------Begin saas.schema------------------------- attributetype ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) attributetype ( 1.2.840.113556.1.2.244 NAME 'homeMDB' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) attributetype ( 1.2.840.113556.1.2.447 NAME 'mailNickname' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -------------------------End saas.schema-------------------------

2 1

Re: Compiling OpenLDAP against static OpenSSL libraries
by The Uhu 02 Jun '11

02 Jun '11

Is there an IF statement missing in configure? Line 19408 specifies that RSAglue and rsaref libraries should be used without verifying whether they are needed. LIBS="-lssl -lcrypto -lRSAglue -lrsaref $LIBS" Changing this to check for rsaref would stop configure failing when using the newer versions of OpenSSL that no longer support rsaref. P. The Uhu <the_uhu(a)hotmail.com> wrote: Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command. >CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include" >./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl >Configuring OpenLDAP 2.4.23-Release ... >checking build system type... sparc-sun-solaris2.10 >checking host system type... sparc-sun-solaris2.10 >checking target system type... sparc-sun-solaris2.10 >... >(other checks) >... >checking struct sockaddr_storage... yes >checking sys/un.h usability... yes >checking sys/un.h presence... yes >checking for sys/un.h... yes >checking openssl/ssl.h usability... yes >checking openssl/ssl.h presence... yes >checking for openssl/ssl.h... yes >checking for SSL_library_init in -lssl... no >checking for ssl3_accept in -lssl... no >configure: error: Could not locate TLS/SSL package The Uhu <the_uhu(a)hotmail.com> wrote: Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

1 0

Re: Compiling OpenLDAP against static OpenSSL libraries
by The Uhu 02 Jun '11

02 Jun '11

Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command. >CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include" >./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl >Configuring OpenLDAP 2.4.23-Release ... >checking build system type... sparc-sun-solaris2.10 >checking host system type... sparc-sun-solaris2.10 >checking target system type... sparc-sun-solaris2.10 >... >(other checks) >... >checking struct sockaddr_storage... yes >checking sys/un.h usability... yes >checking sys/un.h presence... yes >checking for sys/un.h... yes >checking openssl/ssl.h usability... yes >checking openssl/ssl.h presence... yes >checking for openssl/ssl.h... yes >checking for SSL_library_init in -lssl... no >checking for ssl3_accept in -lssl... no >configure: error: Could not locate TLS/SSL package The Uhu <the_uhu(a)hotmail.com> wrote: Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

1 0

Compiling OpenLDAP against static OpenSSL libraries
by The Uhu 02 Jun '11

02 Jun '11

Hi, First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts). Is it really not possible to do this? If not, and out of interest, what's the rationale? Thanks in advance. P.

1 0

Re: Combining dynlist + memberOf overlay?
by Gerry Calderhead 02 Jun '11

02 Jun '11

Failed to send yesterday, re-trying. On 1 June 2011 10:37, Gerry Calderhead <gerry(a)everythingsucks.co.uk> wrote: > Greetings, > > What we're trying to achieve is: > > Multiple organisations (Company, ThirdParty). > Groups, under each organisation, where their members can be added to gain > access to tools (such as JIRA). > dynlist aggregates membership of organisations groups into a "super" > group of all users with access to tools. > > e.g. all_jira_users = Company.jira_users + ThirdParty.jira_users > > We use a dynlist to acheive this. > > However we are unable to perform a search for memberOf=<dynlist>. > > Should this work or are we flogging a dead horse? > Can it be achieved by another standard-ish mechanism? > > Wisdom gratefully received. > > G > > > > > > > >

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical