openldap-technical

openldap-technical@openldap.org

13 participants
9906 discussions

trouble with regex type constraint overlay
by benjamin thielsen 10 Dec '08

10 Dec '08

i'm experimenting with the constrain overlay, and have what i think is a fairly simply constraint that's giving me trouble. below are the details. i believe i've followed slapo-constraint(5) (and regex(7)) accurately, but i must be missing something. >cat montage_admin.ldif dn: uid = admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com changetype: modify replace: uidNumber uidNumber: 5000 >ldapmodify -vxWD 'cn=admin,dc=ltn,dc=lvc,dc=com' -f montage_admin.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: replace uidNumber: 5000 modifying entry "uid = admin ,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com" ldap_modify: Constraint violation (19) additional info: modify breaks constraint on uidNumber >ldapsearch -vvxWLLLD 'cn=admin,dc=ltn,dc=lvc,dc=com' "(uid=admin)" ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (uid=admin) requesting: All userApplication attributes dn: uid =admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=c om userPassword:: e1NTSEF9TkF5TGVabXFWTU9zT01EZVNWdHA1Mm9uUWtOalg3cXY= objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top homeDirectory: /dev/null cn: admin uid: admin sn: admin givenName: admin gidNumber: 5001 uidNumber: 2016 >ldapsearch -vvxWLLLb 'cn=config' -D 'cn=admin,cn=config' "(objectClass=olcConstraintConfig)" ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (objectClass=olcConstraintConfig) requesting: All userApplication attributes dn: olcOverlay={3}constraint,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: {3}constraint olcConstraintAttribute: uidNumber regex ^[:digit:]*$ thanks -ben

2 3

olcMonitoring attribute
by benjamin thielsen 10 Dec '08

10 Dec '08

hi- i've recently begun using back-config and was looking for some more detail on the purpose of the olcMonitoring attribute. my googling and searching of the list archives have revealed not much beyond references in cn=schema.ldif. thanks -ben

3 2

Re: bdb encryption
by ghenry＠OpenLDAP.org 09 Dec '08

09 Dec '08

----- "Howard Chu" <hyc(a)symas.com> wrote: > ghenry(a)OpenLDAP.org wrote: > > Hi All, > > > > I'm just testing bdb encryption and it works as expected out of the > box. > > > > But I'm trying to decrypt it using the bdb tools: > > > > [ghenry@suretec openldap-data]$ > /usr/local/BerkeleyDB.4.7/bin/db_verify objectClass.bdb > > db_verify: Encrypted environment: no encryption key supplied > > Segmentation fault > > Interesting. It shouldn't segfault, perhaps you should report that as > a bug to > Oracle. Will do. If I use "cryptkey testing" all tools work. If I enter the wrong password using cryptkey is segfaults again after stating wrong pass. > > So it segfaults, but it's the same with the key: > > > > [ghenry@suretec openldap-data]$ > /usr/local/BerkeleyDB.4.7/bin/db_verify -P "testing" objectClass.bdb > > db_verify: Invalid password > > Segmentation fault > > > > testing is set in slapd.conf via "cryptfile" and has the word > "testing" in it: > > How did you create the file? If you simply created it as a plain text > file, > then it probably has a trailing NewLine as well. In which case, the > NewLine is > part of the password... Checked this and recreated vi vim and just: echo testing > cryptfile. All results in the same invalid password and segfault. Cheers. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

2 1

OpenLDAP replication
by Justin Lintz 09 Dec '08

09 Dec '08

Hi, I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup.... 2 servers, ldap01 and ldap02, both running centos 5.2 x86_64 with openldap2.4 installed from http://staff.telkomsa.net/packages/rhel5/openldap/x86_64/ openldap2.4-servers-2.4.11-1.rhel5 my slapd.conf on ldap01 is: modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200 slapd.conf on ldap02 is": directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials= This appears to work but it seems after some time the replication stops working , not seeing anything in the logs either. Also with this setup, given a situation where ldap01 died and ldap02 took over, when I brought ldap01 back online, would configuration changes need to be made to ensure any changes that were made to ldap02 were replicated back properly or am I not using the proper replication technique for this situation? I'm still a bit new to OpenLDAP so I apologize if I explained anything incorrrectly. My end goal is to have 2 ldap servers in place where in the event of a failure the secondary could take over and when the primary is restored, have it fail back over without any loss of changes. - Justin Lintz

2 3

Unable to login as local user when LDAP master has problem
by sparklings 09 Dec '08

09 Dec '08

Hi, I'm having about 30 Linux Servers in which I have one LDAP master server and remaining all of them are ldap clients.All the users who login to Linux servers are LDAP users. Whenever there is a problem with the LDAP service in Master, I have the following issues. 1.ldap user anyway cannot login to any of the server but even as root or local user,we are unable to login to any of the client/master server. 2.If I'm already logged in any of the client server and when there is a problem with the LDAP master service, the server becomes extremely unstable/slow and cannot execute any command and everything hangs. Could you suggest if I'm missing any setting in LDAP master or slave?as I should not have problem in login to the servers as a local/root user even when LDAP master is down Thanks in Advance, Rahul

2 1

Cannot start kerberos signing/sealing when using TLS/SSL
by Jeremiah Martell 08 Dec '08

08 Dec '08

I'm using openldap, cyrus-sasl, heimdal, and openssl. I use the standard kerberos "kinit" tool to get my TGT, this is successful. I use the standard openldap "ldapsearch" tool to attempt to do a LDAP+GSSAPI over TLS (cert level "demand") search, and I get two errors. The first error is an "inappropriate auth", which seems to come from openldap. The second error is "Cannot start kerberos signing/sealing when using TLS/SSL", which seems to come from GSSAPI-land. Interesting facts: - This fails against Windows 2003 AD. - But succeeds against a BSD box running an openldap server. - The following all had the cert level set to "demand"... - - LDAP works with the Win2003 AD. - - LDAP+SSL works with the Win2003 AD. - - LDAP+TLS works with the Win2003 AD. - - LDAP+GSSAPI works with the Win2003 AD. - - LDAP+GSSAPI+SSL works with the Win2003 AD. - - But LDAP+GSSAPI+TLS does NOT work with the Win2003 AD. - If I switch the cert level to "allow", then LDAP+GSSAPI+TLS works with Win2003 AD. It seems everything is ok with my kerberos setup, since LDAP+GSSAPI works. It seems everything is ok with my certs, since LDAP+SSL and LDAP+TLS and LDAP+GSSAPI+SSL works. I'm at a loss as to why this particular case: LDAP+GSSAPI+TLS (cert level "demand") against Windows 2003 AD doesn't work. I tried looking through the openldap, cyrus-sasl, heimdal, and openssl code for "Cannot start kerberos signing/sealing when using TLS/SSL" but I didn't find anything. My guess is that this comes from the server. The only thing I could find googling was from here: http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP that says: "GSSAPI Error: Cannot start kerberos signing/sealing when using TLS/SSL SASL/GSSAPI already encrypts the LDAP traffic, this error is trying to say TLS/SSL is redundant." My questions: (1) Is this simply the fact that Windows 2003 AD doesn't support LDAP+GSSAPI+TLS (with cert level set to "demand")? (2) Why would the Win2003 AD server behave properly with SSL but not TLS? (3) Why does the openldap server work fine, but not the Windows 2003 AD server? (3) Has this been addressed in some newer release of openldap/cyrus-sasl/heimdal/openssl code? (4) Is there anything I could have done wrong in my Win2003 AD setup? (5) Any other general suggestions/ideas to help? Thanks, -- - Jeremiah Martell http://inlovewithGod.com

2 1

bdb encryption
by ghenry＠OpenLDAP.org 08 Dec '08

08 Dec '08

Hi All, I'm just testing bdb encryption and it works as expected out of the box. But I'm trying to decrypt it using the bdb tools: [ghenry@suretec openldap-data]$ /usr/local/BerkeleyDB.4.7/bin/db_verify objectClass.bdb db_verify: Encrypted environment: no encryption key supplied Segmentation fault So it segfaults, but it's the same with the key: [ghenry@suretec openldap-data]$ /usr/local/BerkeleyDB.4.7/bin/db_verify -P "testing" objectClass.bdb db_verify: Invalid password Segmentation fault testing is set in slapd.conf via "cryptfile" and has the word "testing" in it: (gdb) run -P testing objectClass.bdb Starting program: /usr/local/BerkeleyDB.4.7/bin/db_verify -P testing objectClass.bdb db_verify: Invalid password [New Thread 0xb7fd86c0 (LWP 17626)] Program received signal SIGSEGV, Segmentation fault. 0x0021f82d in __memp_resize () from /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so Missing separate debuginfos, use: debuginfo-install glibc-2.9-2.i686 (gdb) bt #0 0x0021f82d in __memp_resize () from /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so #1 0x0021bac9 in __memp_set_cachesize () from /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so #2 0x08048cfd in __db_rpath () #3 0x0804b018 in ?? () #4 0x00000000 in ?? () (gdb) q Any ideas? Thanks. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

2 1

why does ldapsearch just hang with SASL/EXTERNAL authentication started?
by borderline_ocd-er 08 Dec '08

08 Dec '08

hello list, :¬O H-E-E-E-E-E-L-L-L-L-P-P-P!!!! for the past week and a half, i've been trying to get an openldap client on a mac os x 10.4.11 (OpenLDAP 2.2) to talk to an ldap directory server (sun iPlanet directory server 5.1) on a solaris 9 sparc box; using client authentication with x509 certificates for both the server and the client. i have successfully configured client authn between the directory server (ds) on the solaris box and a precompiled ldapsearch binary client (also running on that same solaris box). the ldapsearch binary is part of the netscape security services (nss) ldap c sdk 6.0.x that came bundled with - what sun calls it's - "ds resource kit 5.2 (dsrk)". since client authn works successfully between those 2 components running local to each other, i figured a remote client authn setup shouldn't be much of a stretch (if the openldap.org docs are to be believed). BOY! was i wrong! after copying to my mac os x box, the same ca cert and client cert (in .pem format) that worked successfully on the solaris box, i configured ldap.conf and .ldaprc to point to the certs and keys (see below). when i run an openldap ldapsearch on the mac, the tls handshake appears to succeed (see below); then the sasl/external client authn appears to kick off; then it just hangs! the last thing that's output to the shell is "SASL/EXTERNAL authentication started". but the shell cursor just hangs there; flashing away - doing nothing! the solaris ds access logs seem to report that a bind took place as a result of the mac openldap ldapsearch attempt: "...conn=45 SSL client bound as cn=bilbo,ou=development,o=helpme.com" please, will you help me to get my mac openldap ldapsearch client to authenticate to my solaris ds using a client cert? i've read and reread the openldap.org tls docs (http://www.openldap.org/doc/admin24/tls.html); i've read and reread the openldap.org sasl docs (http://www.openldap.org/doc/admin24/sasl.html); i've scoured this list; i've scoured the cyrus sasl list (http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.cyrus-sasl); i've tried adding the "-I" switch to the ldapsearch command, but that results in an endless loop of being prompted over and over to enter an authorization id. i've tried editing /etc/syslog.conf with the following: "local4.* /var/log/openldap.log" but nothing ever gets logged to that file! i've spent so much time trying to solve this problem on my own, that my wife has threatened to leave me for my best friend if i don't stop spending so much time on this! my dog snarled at me and bit my behind today because he doesn't recognize me anymore! my daughter is talking about becoming an "exotic dancer" because i don't pay her enough attention from working on this! my failure to accomplish such a seemingly simple task has made me consider taking my own life! seriously though: I NEED YOUR HELP! thanks in advance for your help. ========================================================== ds access logs after successful ldapsearch on solaris box: ========================================================== ... [07/Dec/2008:04:29:38 +0000] conn=0 fd=49 slot=49 SSL connection from 127.0.0.1 to 127.0.0.1 [07/Dec/2008:04:29:38 +0000] conn=0 SSL 128-bit RC4; client O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca(a)helpme.com, CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US [07/Dec/2008:04:29:38 +0000] conn=0 SSL client bound as cn=bilbo,ou=development,o=helpme.com [07/Dec/2008:04:29:38 +0000] conn=0 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [07/Dec/2008:04:29:38 +0000] conn=0 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=bilbo,ou=development,o=helpme.com" [07/Dec/2008:04:29:38 +0000] conn=0 op=1 SRCH base="ou=development,o=helpme.com" scope=2 filter="(cn=bilbo)" attrs=ALL [07/Dec/2008:04:29:38 +0000] conn=0 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [07/Dec/2008:04:29:38 +0000] conn=0 op=2 UNBIND [07/Dec/2008:04:29:38 +0000] conn=0 op=2 fd=49 closed - U1 ... ========================================================== hanging mac osx openldap ldapsearch command results: ========================================================== bilbo$ ldapsearch -v -H ldap://bebop -s sub -b "" -LLL -d -7 -ZZ ldap_initialize( ldap://bebop ) ldap_create ldap_url_parse_ext(ldap://bebop) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP bebop:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.8:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: bebop port: 389 (default) refcnt: 2 status: Connected last used: Sun Dec 7 16:04:48 2008 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: ber_dump: buf=0x004044b0 ptr=0x004044b0 end=0x0040450f len=95 0000: 02 01 01 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 ...xZ......;Star 0010: 74 20 54 4c 53 20 72 65 71 75 65 73 74 20 61 63 t TLS request ac 0020: 63 65 70 74 65 64 2e 53 65 72 76 65 72 20 77 69 cepted.Server wi 0030: 6c 6c 69 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 lling to negotia 0040: 74 65 20 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 te SSL...1.3.6.1 0050: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_read: message type extended-result msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 ber_scanf fmt (a) ber: ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24 0000: 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 ..1.3.6.1.4.1.14 0010: 36 36 2e 32 30 30 33 37 66.20037 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x004044b0 ptr=0x004044b3 end=0x0040450f len=92 0000: 78 5a 0a 01 00 04 00 04 3b 53 74 61 72 74 20 54 xZ......;Start T 0010: 4c 53 20 72 65 71 75 65 73 74 20 61 63 63 65 70 LS request accep 0020: 74 65 64 2e 53 65 72 76 65 72 20 77 69 6c 6c 69 ted.Server willi 0030: 6e 67 20 74 6f 20 6e 65 67 6f 74 69 61 74 65 20 ng to negotiate 0040: 53 53 4c 2e 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e SSL...1.3.6.1.4. 0050: 31 2e 31 34 36 36 2e 32 30 30 33 37 1.1466.20037 ber_scanf fmt (x) ber: ber_dump: buf=0x004044b0 ptr=0x004044f7 end=0x0040450f len=24 0000: 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 ..1.3.6.1.4.1.14 0010: 36 36 2e 32 30 30 33 37 66.20037 ber_scanf fmt (}) ber: ber_dump: buf=0x004044b0 ptr=0x0040450f end=0x0040450f len=0 ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca(a)helpme.com, issuer: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca(a)helpme.com TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=bebop, issuer: /C=US/ST=IL/L=Chicago/O=helpme.com/OU=development/CN=ldapca/emailAddress=ldapca(a)helpme.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_sasl_interactive_bind_s: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_int_sasl_open: host=bebop => ldap_dn2bv(16) ldap_err2string <= ldap_dn2bv(O=helpme.com,OU=Development,CN=bilbo)=0 Success SASL/EXTERNAL authentication started [shell just hangs here] ========================================================== ========================================================== ds access logs after hanging ldapsearch from mac os x: ========================================================== ... [07/Dec/2008:16:04:48 +0000] conn=45 fd=49 slot=49 connection from 10.0.0.9 to 10.0.0.8 [07/Dec/2008:16:04:48 +0000] conn=45 op=0 EXT oid="1.3.6.1.4.1.1466.20037" [07/Dec/2008:16:04:48 +0000] conn=45 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [07/Dec/2008:16:04:49 +0000] conn=45 SSL 128-bit RC4; client O=helpme.com, OU=Development, CN=bilbo; issuer E=ldapca(a)helpme.com, CN=ldapca, OU=development, O=helpme.com, L=Chicago, ST=IL, C=US [07/Dec/2008:16:04:49 +0000] conn=45 SSL client bound as cn=bilbo,ou=development,o=helpme.com [end of file] ========================================================== ldap.conf file: ========================================================== HOST bebop BASE dc=bebop,dc=helpme,dc=net TLS_REQCERT demand TLS_CACERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem ========================================================== .ldaprc file: ========================================================== URI ldaps://bebop:636 HOST bebop BASE "" TLS_REQCERT demand TLS_CACERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bebopCACert.pem TLS_CERT /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientCert.pem TLS_KEY /Users/bilbo/development/projects/tutorials/ldap/conf/.security/take5/bilboClientKey.pem SASL_MECH EXTERNAL ==========================================================

1 0

Using AD authentication with an external LDAP for authorization
by Stefan Stefansson 08 Dec '08

08 Dec '08

Hi. I'm new to the world of LDAP and directory servers and trying to figure out the best solution to my problem. This isn't exactly OpenLDAP specific, I still haven't figured out whether OpenLDAP is the right thing to use or whether there is any good solution to my situation. So I hope you forgive me for asking this here but I'm hoping to tap into the collective knowledge of this list for ideas. My situation is that I have taken over the systems administration of a group of Linux servers for the Computer Science department at my school. The school has an IT department but we would like to be independent of them, both to relieve them of as much as possible of our demands (which can be quite demanding and unorhadox) as well as having a more agile environment here (again touching on the fact that they are overloaded). The IT department mostly runs Microsoft solutions and the whole domain is controlled by Active Directory. I'm not familiar with AD myself so I don't know whether it's a particularly "good setup" or not but I have no reason to believe otherwise. So, what I want to do is set up our own directory server but of course I would like to use some open source solutions... or at the very least, something that runs on Linux. There I would like to control authorization for different users to different servers, clusters, web systems (such as wiki webs, Subversion, bug tracking software etc). On the other hand, I would prefer that authentication be somehow delegated to the AD server for any user who is on the domain to avoid duplicating data. However, I still would like to be able to define additional users in my LDAP directory server that are not necessarily on the domain. So my setup would have to be able to distinguish whether authentication should be handled by my LDAP server or the AD server. I would think this could happen in two ways: 1) user credentials are replicated over to the LDAP server from AD which means that LDAP would handle all authentication or 2) LDAP server would delegate authentication for users it cannot authenticate to the AD server but otherwise it would handle the users it knows. I assume 1 is difficult to do as sending the user credentials out from AD is probably considered bad practice (if it is at all possible that is). The backup plan would be for me to get administrative rights to some part of the AD server and then we'd use only that server for all authentication and authorization requirements but as I said, we would like to be as independent from their services as possible in addition to not being particularly fond of having to use AD (is there any sort of a usable web access to that? would this mean I would have to have a Windows box set up to perform any administrative tasks?). This is my situation. Sorry for the log winded explanation. Does anybody have an idea of how to accomplish something like this? I'd be happy to hear about any case studies or white papers on similar subjects (I can't believe I'm the first one to want to do this). I'm also open for suggestions on what tools to use. Open source is not a requirement (but preferred). Best regards, Stefan Freyr.

4 3

OpenLDAP + Active Directory User and Password Sync
by Animesh Bansriyar 07 Dec '08

07 Dec '08

Hi All, I have been working on getting Active Directory User Information (username/password) to sync with OpenLDAP. I have been working on different theories to get them to sync when I chanced upon acctsync. Acctsync (http://acctsync.sourceforge.net/) seems to do the work but looks like there has been no work on it since 2005. I am looking forward to revive the project and want to contribute as well on it. If there is something similar can somebody please point me out to it. This is what I am looking for: 1. Any User Added to Active Directory shall be added to OpenLDAP as well and any password modified from Active Directory should be modified in OpenLDAP as well - where OpenLDAP would be used for System Auth in a Linux environment. 2. Any User Added to OpenLDAP should be added to Active Directory along with the same credentials and any password modified in OpenLDAP should be modified in Active Directory as well. I have somewhat been able to take care of the second requirement but the first seems to be the more difficult one in a Windows 2008 Environment - The appoach I have taken is to have a daemon running which polls the OpenLDAP Server with clear-text passwords every few minutes and adds/modifes accounts in the AD Server accordingly - I know this is the least elegant way to do it but as of now it works for me. Can somebody suggest ways to do the above or maybe share experiences on the same. Thanks, Animesh

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical