openldap-technical

openldap-technical@openldap.org

3 participants
9898 discussions

Using AD authentication with an external LDAP for authorization
by Stefan Stefansson 08 Dec '08

08 Dec '08

Hi. I'm new to the world of LDAP and directory servers and trying to figure out the best solution to my problem. This isn't exactly OpenLDAP specific, I still haven't figured out whether OpenLDAP is the right thing to use or whether there is any good solution to my situation. So I hope you forgive me for asking this here but I'm hoping to tap into the collective knowledge of this list for ideas. My situation is that I have taken over the systems administration of a group of Linux servers for the Computer Science department at my school. The school has an IT department but we would like to be independent of them, both to relieve them of as much as possible of our demands (which can be quite demanding and unorhadox) as well as having a more agile environment here (again touching on the fact that they are overloaded). The IT department mostly runs Microsoft solutions and the whole domain is controlled by Active Directory. I'm not familiar with AD myself so I don't know whether it's a particularly "good setup" or not but I have no reason to believe otherwise. So, what I want to do is set up our own directory server but of course I would like to use some open source solutions... or at the very least, something that runs on Linux. There I would like to control authorization for different users to different servers, clusters, web systems (such as wiki webs, Subversion, bug tracking software etc). On the other hand, I would prefer that authentication be somehow delegated to the AD server for any user who is on the domain to avoid duplicating data. However, I still would like to be able to define additional users in my LDAP directory server that are not necessarily on the domain. So my setup would have to be able to distinguish whether authentication should be handled by my LDAP server or the AD server. I would think this could happen in two ways: 1) user credentials are replicated over to the LDAP server from AD which means that LDAP would handle all authentication or 2) LDAP server would delegate authentication for users it cannot authenticate to the AD server but otherwise it would handle the users it knows. I assume 1 is difficult to do as sending the user credentials out from AD is probably considered bad practice (if it is at all possible that is). The backup plan would be for me to get administrative rights to some part of the AD server and then we'd use only that server for all authentication and authorization requirements but as I said, we would like to be as independent from their services as possible in addition to not being particularly fond of having to use AD (is there any sort of a usable web access to that? would this mean I would have to have a Windows box set up to perform any administrative tasks?). This is my situation. Sorry for the log winded explanation. Does anybody have an idea of how to accomplish something like this? I'd be happy to hear about any case studies or white papers on similar subjects (I can't believe I'm the first one to want to do this). I'm also open for suggestions on what tools to use. Open source is not a requirement (but preferred). Best regards, Stefan Freyr.

4 3

OpenLDAP + Active Directory User and Password Sync
by Animesh Bansriyar 07 Dec '08

07 Dec '08

Hi All, I have been working on getting Active Directory User Information (username/password) to sync with OpenLDAP. I have been working on different theories to get them to sync when I chanced upon acctsync. Acctsync (http://acctsync.sourceforge.net/) seems to do the work but looks like there has been no work on it since 2005. I am looking forward to revive the project and want to contribute as well on it. If there is something similar can somebody please point me out to it. This is what I am looking for: 1. Any User Added to Active Directory shall be added to OpenLDAP as well and any password modified from Active Directory should be modified in OpenLDAP as well - where OpenLDAP would be used for System Auth in a Linux environment. 2. Any User Added to OpenLDAP should be added to Active Directory along with the same credentials and any password modified in OpenLDAP should be modified in Active Directory as well. I have somewhat been able to take care of the second requirement but the first seems to be the more difficult one in a Windows 2008 Environment - The appoach I have taken is to have a daemon running which polls the OpenLDAP Server with clear-text passwords every few minutes and adds/modifes accounts in the AD Server accordingly - I know this is the least elegant way to do it but as of now it works for me. Can somebody suggest ways to do the above or maybe share experiences on the same. Thanks, Animesh

1 0

Re: Syncrepl question
by Quanah Gibson-Mount 06 Dec '08

06 Dec '08

--On Friday, December 05, 2008 1:18 PM -0800 Ivan Ordonez <iordonez(a)nature.berkeley.edu> wrote: > Hi Quanah, > > I was able to get it to work earlier when I add the startls=critical > line. It work when I did it on the slave1, at the time, I made the > slave1 as the master. Thanks so much for that. Now moving on the the > real master, things did not go well. Now the issue is that, any changes > I make on the master, doesn't go to the slaves. I have two slaves and I > want those two to get the changes. > > example: > > Master > | > _ _ _ _ _| |_ _ _ _ _ > | | > | | > | | > Slave1 Slave2 > > Now, when I make any change on the master, the changes will take effect > only on master and not on the slaves. I will get this error on both > slaves. > Is this because of the acl.bdc.readonly.conf line I have on both slave's > slapd.conf file? pdbedit -Lv username still work only on account were no > changes are made. Do you see any errors on the master from the slaves binding? Are you sure they have the right permissions to the master? Did you look at what sync logging shows? What is the contextCSN on your master versus your slaves? At this point, I suggest we take this discussion back to the list, since we got back your earlier config issue (starttls not being set in the syncrepl config). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

2 3

Syncrepl question
by Ivan Ordonez 04 Dec '08

04 Dec '08

Hi all, We have a small size domain with about 500 users and computers. We are using Samba with Openldap integration to authenticate user login and file sharing. Our setup is consist of 3 servers running Gentoo Linux - 1PDC and 2BDCs. As for replication, we are still using "slurpd". Any changes or modification is done through the PDC which replicates the changes to BDC1, then from BDC1, it then goes down to BDC2 - it's like a chain. We want to start using "syncrepl" soon as a way to replicate our database but I'm not sure were to start. We want to setup all of our machine to sync with each other everyday, and not worry which machine is use to make changes, modification, etc.... I'm not sure which syncrepl function to use to achieve what we want to do. Is "N-Way Multi Master replication" the correct choice to do this? We are using "BDB" database on each servers, and would like to achieve this with minimal downtime if possible. What is the best way to do this? Please advise. Any help is greatly appreciated. -Ivan

3 12

How to take backup of the openldap users data from the command prompt in LINUX Fedora
by Jyotishmaan Ray 04 Dec '08

04 Dec '08

My problem. I had been using the phpldapadmin browser 1.0.1 to access the openldap database. Recently when I observed that when I logged onto the phpldapadmin browser, the features of the browser didnt show up as usually it appears. So that was my problem as such now I am not able to use the GUI of the browser to do importing of the ldif files for adding new users to my database. Now that the situation is urgent, I need to take a back up of my openldap database for the users data. Please give me the full comand details, so that I can take a back up of my database safely before exploring the problem of phpldapadmin browser. Thanks, in advance, jmaan Thanks, Jyotishmaan Ray Moderator Of Paradise Groups http://yahoogroups.com/group/Spirituality-Paradise Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!! Please Join Immediately By Sending A Blank Mail @ Spirituality-Paradise-subscribe(a)yahoogroups.com

3 3

OpenLDAP 2.4.10 Logging
by Lydon, Mark 03 Dec '08

03 Dec '08

I am running OpenLDAP 2.4.10 in a Solaris 10 local zone. All working fine, except that I want to log to a specific file using this command line; nohup /usr/local/libexec/slapd -d 64 -d 256 2> /tmp/slapd.log & This run ok in background, but when I exit my shell the job ends. I've often used nohup like this to start jobs and disassociate them from the users login shell, why doesn't it work here? Regards Mark Lydon AT&T

2 1

Samba objects replication
by mike 03 Dec '08

03 Dec '08

Hello everybody. I have configurated Samba with openLdap. My problem is that openldap slave does not synchronize the samba objects from the openldap master. All the others objects (ou, o, dc) are synchronized normaly Can someone help me please? Thanks Migue

2 1

2.4.13 could not start
by owen nirvana 02 Dec '08

02 Dec '08

libldap_r-2.4.so.2 no version information (reqired by slapd) liblber-2.4.so.2 no version information (reqired by slapd) in debian lenny-081114, I don't remove openldap 2.4.11 debian package which had installed, because synpatic always want to remove many many related package too. But I don't think it is the problem. thanks for instruction gtalk:freeespeech@gmail.com

2 1

Can join Domain but cannot login.
by Emil Sicad - ISD 02 Dec '08

02 Dec '08

Good day! I badly need your help. I can join the domain using the root but after restart i cannot login anymore My client is windows XP sp4. The message was this:` "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect." i have already disable the following in Local Security Settings 1. Domain member: Digitally encrypt or sign secure channel data (always) 2. Domain member: Digitally encrypt secure channel data (when possible) 3. Domain member: Digitally sign secure channel data (when possible) 4. Domain member: Disable machine account password changes I can add and delete user using smbldap-useradd and smbldap-userdel and also using webmin 1.41 Pls help me with this. This is my config files: ######################################### -rw-r--r-- 1 root root 2715 Dec 1 18:15 smb.conf [global] idmap gid = 16777216-33554431 enable privileges = Yes passwd program = /usr/local/sbin/smbldap-passwd %u dns proxy = no netbios name = smbldap ldap passwd sync = yes idmap uid = 16777216-33554431 default = global dos charset = 850 local master = yes workgroup = fcb.net os level = 34 security = User log level = 0 log file = /var/log/samba/log.%m max log size = 500 socket options = TCP_NODELAY domain master = yes encrypt passwords = yes winbind use default domain = no keepalive = 10 template shell = /bin/false netbios aliases = smbldap.fcb.net password server = smbldap valid users = %U domain logons = yes encrypt passwords = yes unix charset = ISO8859-1 password server = smbldap # Samba-Ldap Declarations # passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=fcb.net,dc=. ldap suffix = dc=fcb.net,dc=. ldap delete dn = yes ldap ssl = on ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups add user script = /usr/local/sbin/smbldap-useradd -a "%u add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add user to group script = /usr/local/smbldap-groupmod -m "%u" "%g" add group script = /usr/local/sbin/smbldap-groupadd -p '%g' set primary group script = /usr/local/sbin/smbldap-groupmod -g "%g" "%u" delete user script = /usr/local/sbin/smbldap-userdel -r "%u" delete group script = /usr/local/sbin/smbldap-groupdel '%g' delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" [netlogon] comment = Domain Logon Service path = /home/netlogon browseable = No [ISD] comment = Information Systems Division path = /home/isd valid users = @isd read only = No create mask = 0660 directory mask = 0770 [profiles] path = /home/samba/profiles valid users = %U, "@Domain Admins" ########################################## -rwxr-xr-x 1 ldap ldap 1010 Nov 28 16:29 slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb directory /var/lib/ldap suffix "dc=fcb.net,dc=." rootdn "cn=Manager,dc=fcb.net,dc=." index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName eq,pres,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq rootpw smbldap access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange by dn.children="dc=fcb.net,dc=." write by self write by anonymous auth by * none access to * by dn.children="dc=fcb.net,dc=." write by * read ###################################### -rw-r--r-- 1 ldap ldap 851 Dec 1 17:56 ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never host 127.0.0.1 base dc=fcb.net,dc=. #inserted nov 24, 2008 #rootbinddn cn=Manager,dc=fcb.net,dc=. rootbinddn cn=Manager,dc=fcb.net,dc=. nss_base_passwd dc=fcb.net,dc=. nss_base_shadow dc=fcb.net,dc=. nss_base_group dc=fcb.net,dc=. #Security Options ssl no pam_passwd md5 bind_policy soft TLS_CACERTDIR /etc/openldap/cacerts ######################################## -rw-r--r-- 1 root root 1119 Nov 27 13:38 smbldap.conf SID="S-1-5-21-2796061091-2530429657-3897351620" sambaDomain="smbldap" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" #verify="" #clientcert="" #clientkey="" suffix="dc=fcb.net,dc=." usersdn="ou=User,dc=fcb.net,dc=." computersdn="ou=Computers,dc=fcb.net,dc=." groupsdn="ou=Groups,dc=fcb.net,dc=." binddn="cn=Manager,dc=fcb.net,dc=." bindpasswd="smbldap" #idmapdn="fcb,${suffix}" #sambaUnixIdPooldn="sambaDomainName=workgroup,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="" userLoginShell="/bin/bash" userHome="/home/samba/users/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" userSmbHome="\\smbldap\home\samba\users\%U" userProfile="\\smbldap\home\samba\profiles\%U" userHomeDrive="H" userScript="%U.bat" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" ####################################### -rw------- 1 root root 428 Nov 25 18:34 smbldap_bind.conf slaveDN="cn=Manager,dc=fcb.net,dc=." slavePw="smbldap" masterDN="cn=Manager,dc=fcb.net,dc=." masterPw="smbldap" ############################################### -rw-r--r-- 1 root root 1658 Nov 29 15:14 /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: files automount: files ldap aliases: files Thanks in advance! Emil Sicad Cebu Mitsumi Inc Information Systems Division

2 2

hello
by Donny George 01 Dec '08

01 Dec '08

Hello After much work i set up and openldap server and client and established their connectivity and also populated the database with phpldapadmin. but wen i do ldapsearch -x or getent passwd or when i search for the specific ids i cant get the user information which i entered through the gui. as i am not sure the config files which i should look into to correct this error, could someone guide me. did i miss in installing soething or have i not edited any specific file thank you in advance -- Donny George

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical