openldap-technical

openldap-technical@openldap.org

7 participants
9901 discussions

AD sporadically gives LDAP_SERVER_DOWN after the first request
by Markus Sander 18 Apr '11

18 Apr '11

My employer ships software for Linux and other Unix-like OSes that binds to Active Directory in order to, basically, integrate it to AD. Functionally, it is not too dissimilar to pam_krb5 and nss_ldap. OpenLDAP 2.4.18 is used to bind to Active Directory LDAP servers. Authentication (to a machine trust account) is done using a Kerberos keytab. MIT Kerberos is used. Group membership data are stored in LDAP objects of class Group which have the `member' attribute (multiply) filled with the DN of all members. Those DNs are of type Group or of type User (I'm just chasing users for now), and their `sAMAccountName' value is what I need to give to NSS as the group member's name. My procedure is as follows: First, I bind to one of several configured LDAP servers using SASL2/GSSAPI, i.e. Kerberos 5. Then I inquire all of the result set's `member' attributes and resolve the resulting DNs one by one to build a DN => sAMAccountName map in memory (that's about 10k entries, so, not a problem here). Then, I request the actual group entries and look up the DNs in the `member' attribute in the map. Last, the connection is terminated. The group members' `sAMAccountName' is inquired one by one with the base set to the DN (which I already know), the scope set to flat, and the filter set to (objectClass=*). So that's about 10k single queries in quick succession. The whole group query typically takes about 6 seconds. The problem is: OpenLDAP sometimes gives me LDAP_SERVER_DOWN during the `sAMAccountName' queries. This occurs sporadically but then typically for the rest of the `sAMAccountName' queries. The group entry query that follows does succeed. Most of the time the first of those errors immediately follows a GSSAPI error, nameley, DES key is a weak key, which may be true but appears unrelated, since only AES512, AES256 and HMAC are used in the keytab. The customer's DC admins say that the DCs are not at fault. We asked them to try to increase the server limits (such as max number of active queries per worker thread, which defaults to 4 or something), since about 2k client workstations molest 4 DCs every 30 minutes with the mentioned query (and others). They are very reluctant to do that and we have trouble replicating the problem in-house anyway, so overload need not be the root cause. The DC logs reportedly show nothing unusual. My software has been in use for about three months now, but the rollout was still on-going until lately. Customer acceptance tests did not report the problem. The first incident has been reported about two weeks ago. They set up monitoring and the bell now rings every couple of minutes somewhere. Most queries still get through without problem, though. Other queries, such as those for Netgroups, do not seem to have any problem. They also doubled the number of DCs (to four) four weeks ago, since the two they had were quite busy. The new DCs are similar in hardware but are significantly less under load, which seems odd since all four of those DCs exist just to serve our software and our software can be shown to distribute the queries fairly. Restricting our software to only the old or only the new DCs does not have any effect on the failure rate. I increased the OpenLDAP log level, but nothing enlightening turned up. What could be the cause of the failures during the group member resolution?

2 2

Configuration on Windows xp of OpenLDAP
by Mahesh Birajdar 17 Apr '11

17 Apr '11

Hi all, I am new to the OpenLDAp stuff. I want to configure OpenLDAP On windows platform and create users and administer them. Please anyone can help me.. Any Document stating how to configure and create users n administer them would be very much helpful... Thanks and Regards, MAHESH BIRAJDAR DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

1 0

return an attribute of all users belonging to a group
by George Mamalakis 17 Apr '11

17 Apr '11

Dear all, I have a question regarding my openldap DIT design. My design so far is based on the model: ou=people,dc=example,dc=com. It is very possible that I'll have to be able to find attributes of people belonging to some specific group (eg, student, postgrad, etc). The easiest way to address this issue for me would be to branch my DIT like this: ou=undergrads,ou=people,dc=example,dc=com and ou=postgrads,ou=people,dc=example,dc=com. On the other hand, I have several classes that I would like to distinguish my users to apart from this (like stuff, student, professors, etc.) but further sub-brunching shows to me that there's something wrong with my design (since those classes may dynamically change in the future). As a second solution I thought that it would be very easy to make my users in ou=people,dc=example,dc=com belong to some group located in ou=groups,dc=example,dc=com. This way I feel much more flexible in making such classifications, but my problem is how to formulate ldapsearch filters so as to return an attribute of some user only if the specific user belongs to one or more of my groups (for example to find all email accounts from my people that belong to the undergrads group). Thank you all for your time in advance, kind regards, George Mamalakis. PS. In the case that this is not the right place to ask questions regarding ldap programming, please address me to some related resource. The truth is that I haven't found such a place by googling, meaning that the places I've found did not seem to be maintained well. -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

2 2

Re: return an attribute of all users belonging to a group
by George Mamalakis 17 Apr '11

17 Apr '11

On 17/04/2011 14:03, Stefan Seelmann wrote: > Hi George, > > On Sun, Apr 17, 2011 at 12:07 PM, George Mamalakis<mamalos(a)eng.auth.gr> wrote: >> Dear all, >> >> I have a question regarding my openldap DIT design. My design so far is >> based on the model: ou=people,dc=example,dc=com. It is very possible that >> I'll have to be able to find attributes of people belonging to some specific >> group (eg, student, postgrad, etc). The easiest way to address this issue >> for me would be to branch my DIT like this: >> >> ou=undergrads,ou=people,dc=example,dc=com and >> ou=postgrads,ou=people,dc=example,dc=com. On the other hand, I have several >> classes that I would like to distinguish my users to apart from this (like >> stuff, student, professors, etc.) but further sub-brunching shows to me that >> there's something wrong with my design (since those classes may dynamically >> change in the future). >> >> As a second solution I thought that it would be very easy to make my users >> in ou=people,dc=example,dc=com belong to some group located in >> ou=groups,dc=example,dc=com. This way I feel much more flexible in making >> such classifications, but my problem is how to formulate ldapsearch filters >> so as to return an attribute of some user only if the specific user belongs >> to one or more of my groups (for example to find all email accounts from my >> people that belong to the undergrads group). > A third approach is to to store the group as attribute in the user > entries. The eduPerson schema [1] should fit your needs. Add the > eduPerson object class to your user entries and use the > eduPersonAffiliation multi-valued attribute to add the groups. > > Kind Regards, > Stefan > > [1] http://middleware.internet2.edu/eduperson/ > Stefan, thank you very much for your advise. I had already included the eduperson schema in my configuration, but I had never seen this attribute in use. I will definitely take advantage of it, now that you told me its use. Thanks again for your help, regards, George. -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

1 0

Local home directory with ADS LDAP authentication
by Madhusudan Singh 16 Apr '11

16 Apr '11

Hello I have an LDAP authentication setup that authenticates users against a server that I do not control. However, whenever a user logs in, the default home directory is set to an NFS mount on another server. I want to change the settings so that the user's home directory is local, say, /home/CAMPUS/username. How do I do that ? With regards.

5 8

differing behavior of ldapsearch
by Michael Slack 15 Apr '11

15 Apr '11

I have an openldap server where I have people entered in basic inetOrgPerson format. I am having an issue where it can't authenticate some users. I have narrowed things down to an issue where if I run: ldapsearch -x -L -D "<myRootDn>" -W -b "<myBaseOU>" "uid=tony" It successfully returns my user object. BUT if I run: ldapsearch -x -L -D "<myRootDn>" -W -b "<myBaseOU>" -h localhost "uid=tony" it will not find the object. I seem to remember that ldapsearch with the default connect will open the DB files directly and read them ??? If so, why can ldapsearch find the object, but slapd can't. If not, what is happening that allows the previous option set to succeed while the second option set fails? BTW: before I get asked, only some user objects are not found. i.e. "uid=kent" is found fine both ways. I tried to generalize my user object such that it isn't the content of the object that would cause the problem, but I also recognize that it is still a possible culprit. This is running on a CentOS box. The RPM is openldap-servers-2.3.27-8.el5_1.3 Thanks in advance for any insight... -- Tony Slack

2 1

Database meta does not have any root node
by michel.gruau 15 Apr '11

15 Apr '11

Hello, I am trying to configure an LDAP proxy towards 2 LDAP targets and I'm using the meta backend as follows: database meta suffix ou=A,o=B,c=C uri ldap://server1/ou=S1,ou=A,o=B,c=C uri ldap://server2/ou=S2,ou=A,o=B,c=C It is working fine except for one point : I'm unable to peform a base search on my root node "ou=A,o=B,c=C". It always respond with error code 32 (no such object). Reading the man page slapd-meta, I understand this is the normal behaviour. But is there a mean to make this root suffix becoming à concrete node ? This point is mandatory for me as many of my client applications are looking for this entry. I tried to create another backend above this one (using subordinate keyword) in order to host this root note but slapd always complain about the fact the suffix is defined twice. Thank you very much for your help. Michel Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net

4 6

fedora and openldap
by Judith Flo Gaya 15 Apr '11

15 Apr '11

Hello, After some time dealing with ldap and fedora, I'm stuck with an strange behaviour. I can successfully change the password for a certain user using the ldappasswd command, after this change (either done by the manager of the ldap or the same user) I can successfully ssh to the machine using this password. In this moment if I do slapcat I can see a password with this form: e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= Instead if I change the password using the password command, I can see passwords much longer than the above one, this is what I can see after changing the passwd. e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= I configured the client to use ldap with this command: authconfig --enableforcelegacy --disablecachecreds --enableldap --enableldapauth --ldapserver=172.19.5.13 --ldapbasedn=dc=linux,dc=imppc,dc=org --disableldaptls --disablefingerprint --disablewinbind --disablewins --disablesssd --disablesssdauth --disablenis --enablecache --enablelocauthorize --usemd5 --updateall This command takes care of all the pam.d files, and considering that the ssh does work with the password set by the ldappasswd command, where is the problem? The server is an openldap-2.4.25. Am I missing something? I though that it was perfectly possible to use passwd instead of ldappasswd. Any help will be extremely appreciated. Thanks a lot, j

8 50

Solaris10+openldap+nss_ldap+pam_ldap=nightmare
by Juergen.Sprenger＠swisscom.com 15 Apr '11

15 Apr '11

If everything else works fine, and only ssh fails check sshd_config for this parameter: PAMAuthenticationViaKBDInt yes pam.conf: Try moving statements with ldap.so.1 to the end of each section and add debug switch: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 try_first_pass debug If it's not only ssh-login: - is output of 'getent passwd' ok? - provide output of 'ldaplist' - provide output of 'ldapclient list' - check setup of nscd (svc:/system/name-service-cache:default) Jürgen Sprenger

1 0

keyword <modulepath> ignored
by sarath chandra 15 Apr '11

15 Apr '11

Hi, When starting openldap, i'm getting this error: line 27 (modulepath /usr/lib/openldap) /usr/local/etc/openldap/slapd.conf: line 27: keyword <modulepath> ignored I'm using openldap-2.4.25 on CentOs 5. The config command was: export LDFLAGS='-L/usr/local/lib -L/usr/local/lib -L/usr/local/lib' export CPPFLAGS='-I/usr/local/include -I/usr/local/include -I/usr/local/include' ./configure --enable-bdb --enable-crypt --with-tls --enable-overlays=mod --enable-modules=yes --enable-ppolicy=mod --libexecdir=/usr/sbin Any help ??? TIA Sarath

6 21

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical