openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

Re: "new style" on ubuntu 8.04
by Luis Paulo 31 Mar '10

31 Mar '10

Thanks, Adam I was afraid of that, but see what made me think otherwise. At http://www.openldap.org/doc/admin24/slapdconf2.html: "the slapd(8) runtime configuration in 2.3 (and later) is fully LDAP-enabled and can be managed using the standard LDAP operations with data in LDIF." - I have slapd 2.4.9 "but must be converted to the new *slapd-config*(5) format to allow runtime changes to be saved". - I did that, but I really don't have the slapd-config man page in */etc/default/slapd* there were already a coment about the the cn=config backend # Default location of the slapd.conf file. If empty, use the compiled-in # default (/etc/ldap/slapd.conf). If using the cn=config backend to store # configuration in LDIF, set this variable to the directory containing the # cn=config data. SLAPD_CONF= And, after all, I've already deleted slapd.conf and authentication is being made with slapd.d/ Please forgive me for insisting. Thanks Are you sure it can't be a matter of ACL, admin authentication, or something else? I'll upgrade to lucid, but it may take a couple of months.

1 0

bdb_reader_get: err Cannot allocate memory(12)
by Кардаш Павел Александро вич 31 Mar '10

31 Mar '10

1 0

ldap.conf
by phiroc＠free.fr 31 Mar '10

31 Mar '10

Hi, is there a way to programmatically retrieve the path to the ldap.conf file (in other words, which conf file the program uses by default)? Many thanks. p

1 0

question about exclusion control of slapd
by Tsukasa Hamano 31 Mar '10

31 Mar '10

Hi, I'm reading the source code of slapd 2.4.21, then I found feel uneasy point. in servers/slapd/bind.c:207 cleanup: if ( rs->sr_err == LDAP_SUCCESS ) { if ( op->orb_method != LDAP_AUTH_SASL ) { ber_dupbv( &op->o_conn->c_authmech, &mech ); } op->o_conn->c_authtype = op->orb_method; } I think that this operation need mutex lock as follows. ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); ... ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); Regards, -- Open Source Solution Technology Corporation Tsukasa Hamano <hamano(a)osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55

1 0

Configuring OpenLDAP on Ubuntu 9.10.Need help!
by Shamika Joshi 31 Mar '10

31 Mar '10

I have followed following article to install/configure OpenLDAP on Ubuntu Server 9.10 https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html There is no slapd.conf in picture here instead running "dpkg-reconfigure slapd" should come up with following Wizard (got this after running through numerous articles on this) *Wizard steps:* 1. *omit openldap server configuration? – no* 2. *dns domain name? vm.example.org* 3. *organization name? myCompany* 4. *database backend to use? hdb* 5. *do you want the database to be removed when slapd is purged? yes* 6. *may be the question: move old database? yes* 7. *administrator password? the same one as entered during installation* 8. *confirm password? see last step* 9. *allow LDAPv2 protocol? no* However in my installation wizards asks * Omit OpenLDAP server configuration? No Do you want the database to be removed when slapd is purged? No Allow LDAPv2 protocol? No Creating initial slapd configuration... done. Starting OpenLDAP: slapd. *Has anyone attempted this before? What I'm missing here? Could someone like to pitch in for some help? So when I run "ldapsearch -x" it gives me following output admins@x6:/etc/ldap$ ldapsearch -x # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 where is should give the output like # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # vm.example.org dn: dc=vm,dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: myCompany dc: vm # admin, vm.example.org dn: cn=admin,dc=vm,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks Shamika

4 6

Not getting password expiry warnings on login
by Chris Jacobs 31 Mar '10

31 Mar '10

Hello, I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc. I'm working on last little detail - getting the password expiration warning to display. For example, I see in the logs: "Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds" But I never get the notice on login clients - regardless of client type (even from machine to itself). I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits: /etc/ldap.conf: uri ldaps://ldapmaster1.corp.aptimus.net timelimit 10 bind_timelimit 10 bind_policy soft base dc=unix,dc=aptimus,dc=net scope sub ssl on tls_checkpeer no tls_cacertfile /etc/openldap/cacert.pem pam_login_attribute uid pam_lookup_policy yes pam_password exop /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so # ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 # grep -i pam /etc/ssh/sshd_config # Set this to 'yes' to enable PAM keyboard-interactive authentication # PAMAuthenticationViaKbdInt no UsePAM yes Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition): overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it. I notice two things: 1.3.6.1.4.1.42.2.27.8.5.1 (objectclass=passwordPolicy) The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here? (I suspect and hope that the last bit here is a totally unrelated red herring.) Thanks, - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 4

AD, freeradius, openldap combination
by Serge Fonville 31 Mar '10

31 Mar '10

Hi, I'm setting up a HA environment with centralized user administration. I'm currently considering the following setup For MS clients, authenticate directly to AD For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy The goals for the setup are: 1. One login for all networked nodes 2. Centralized user authentication 3. Single resource for user information 4. Highly available authentication service 5. No serious performance impact 6. Alternative login when service is unavailable 7. Easily scalable 8. Easy rollout 1, 2, 3 and 7 are achieved using AD 4 can be achieved by a combination of a loadbalancer for each service and multiple instances of each service not sure if 5 is realistic, but it should be possible I suppose 6 is no problem for any host 8 can be done through scripting What I would like to know now is: Is it advisable to set it up like this? Are there 'better' ways to achieve the same result. (performance, availability, ease of maintenance) Would it be better to let radius talk directly to AD, possibly even using the MS radius server. Is it advisable to use an OpenLDAP proxy for *nix authentication or can I just as well use AD directly. The main reasons for me to assume this setup is the most suitable are: AD replicates by default OpenLDAP proxy does not need to replicate OpenLDAP is more 'compatible' with the *nix clients FreeRadius does not need to replicate All can be loadbalanced easily. The main question I want to know from the OpenLDAP list is: "how well does the OpenLDAP proxy perform?" For the remainder, if anyone wants to shed some light on this, I would greatly appreciate it. Thanks a lot in advance. Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&h…

1 0

Re: Configuring OpenLDAP on Ubuntu 9.10 [using slapd.conf??]
by Shamika Joshi 31 Mar '10

31 Mar '10

Thank you guys for your help! I'll try my way through it. One more question here, i have a old working slapd.conf file from a RHEL server, if I want to same slapd.conf file & provide its path in /etc/default/slapd as SLAPD_CONF=/etc/ldap/slapd.conf should that work? Or should I need to make more changes? Has anyone done this before? Any articles you may want to suggest I should go through to achieve this? Thanks Shamika On Tue, Mar 30, 2010 at 5:43 PM, Matt Kassawara <mkassawara(a)gmail.com>wrote: > Starting with Ubuntu Karmic (9.10), the slapd package changed from creating > a typical LDAP administrator account (i.e., username and password) to using > LDAPI and SASL EXTERNAL which automatically provides LDAP administrator > access via the system root account. As root, run your LDAP utilities with > "-Y external -H "ldapi:///" instead of "-x", "-D", and "-W" where > appropriate. For example, to search your LDAP directory: > > ldapsearch -Y external -H "ldapi:///" -b dc=domain,dc=com > > I'm not sure why the Ubuntu Server Guide for 9.10 did not get updated to > reflect these changes, but if you search the web for "ubuntu sasl external" > you'll get quite a few hits on the issue. You may also want to read these > bugs when configuring clients: > > https://bugs.launchpad.net/bugs/423252 > > https://bugs.launchpad.net/bugs/427842 > > Matt > > > On 3/30/10 4:04 AM, Shamika Joshi wrote: > >> I have followed following article to install/configure OpenLDAP on >> Ubuntu Server 9.10 >> https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html >> >> There is no slapd.conf in picture here instead running "dpkg-reconfigure >> slapd" should come up with following Wizard (got this after running >> through numerous articles on this) >> >> *Wizard steps:* >> >> 1. *omit openldap server configuration? – no* >> 2. *dns domain name? vm.example.org <http://vm.example.org>* >> 3. *organization name? myCompany* >> 4. *database backend to use? hdb* >> 5. *do you want the database to be removed when slapd is purged? yes* >> 6. *may be the question: move old database? yes* >> 7. *administrator password? the same one as entered during installation* >> 8. *confirm password? see last step* >> 9. *allow LDAPv2 protocol? no* >> >> >> However in my installation wizards asks >> * >> Omit OpenLDAP server configuration? No >> Do you want the database to be removed when slapd is purged? No >> Allow LDAPv2 protocol? No >> Creating initial slapd configuration... done. >> Starting OpenLDAP: slapd. >> >> *Has anyone attempted this before? What I'm missing here? Could someone >> like to pitch in for some help? >> >> So when I run "ldapsearch -x" it gives me following output >> >> admins@x6:/etc/ldap$ ldapsearch -x >> # extended LDIF >> # >> # LDAPv3 >> # base <> (default) with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 32 No such object >> >> # numResponses: 1 >> >> >> where is should give the output like >> >> # extended LDIF >> # >> # LDAPv3 >> # base (default) with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> #vm.example.org <http://vm.example.org> >> >> >> dn: dc=vm,dc=example,dc=org >> objectClass: top >> objectClass: dcObject >> objectClass: organization >> o: myCompany >> dc: vm >> >> # admin,vm.example.org <http://vm.example.org> >> >> dn: cn=admin,dc=vm,dc=example,dc=org >> >> objectClass: simpleSecurityObject >> objectClass: organizationalRole >> cn: admin >> description: LDAP administrator >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> >> Thanks >> Shamika >> >

1 0

"new style" on ubuntu 8.04
by Luis Paulo 31 Mar '10

31 Mar '10

Hi, all I am installing openldap for the first time. On ubuntu 8.04 server. Things are going, I have a server, still without SASL, and a client working. I used the migration tools, and set rootdn and rootpw on my database conf I was reading a bit more, and I saw a command that didn't work $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb on https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html (note, 9.10, not 8.04) A bit more reading, and I tried to get the "new style" configuration as in http://www.openldap.org/doc/admin24/slapdconf2.html with $ sudo mkdir /etc/ldap/slapd.d $ sudo chown -R openldap:openldap /etc/ldap/slapd.d $ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d and change, in */etc/default/slapd*, SLAPD_CONF=/etc/ldap/slapd.d Still can't run the command (with the plain rootpw password from the old slapd.conf) $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb ldap_bind: Invalid credentials (49) I've read http://www.openldap.org/doc/admin24/appendix-common-errors.html and am now trying to check things and reading around the "new style" and ACL's. Should I be able to run that command and use the "new style" with ubuntu 8.04 (hardy)? If so, I'll thank you for any help. PS: ii slapd 2.4.9-0ubuntu0.8.04.3 OpenLDAP server (slapd) ii ldap-utils 2.4.9-0ubuntu0.8.04.3 OpenLDAP utilities ii migrationtools 47-3ubuntu2 Migration scripts for LDAP Linux main 2.6.24-27-server #1 SMP Fri Mar 12 01:23:09 UTC 2010 x86_64 GNU/Linux

1 0

ldap_ssl_client_init equivalent?
by phiroc＠free.fr 30 Mar '10

30 Mar '10

Hi, is there a ldap_ssl_client_init function in the openldap C API? I couldn't find any in the openldap header files. What is the equivalent of the following ldapsearch query in C using the API, on Linux? ldapsearch -x -H 'ldaps://activedirectory.abc.com/636' -b 'dc=abc,dc=com' -D 'testdn' -W '(&(objectclass=user)(!(objectclass=computer))(samaccountname=myname))' samaccountname Many thanks. p

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical