openldap-technical

openldap-technical@openldap.org

18 participants
9785 discussions

question about object classes
by VaraPrasad Yalla 25 Feb '08

25 Feb '08

Hello Ldapusers, In the slapd.conf file I made sure to include /etc/openldap/schema/inetorgperson.schema But when I use the password migration script to convert password map to ldif format I always see that only 'account' comes up as the default object class in the ldif files . Here is an example of what one of the ldif entries looks like : -------------------------------------------- dn: uid=axe,ou=People,dc=example,dc=com uid: axe cn: axe objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$8EJTU0c0$O2oc9gwyMJZl0hFg7x6Y7. shadowLastChange: 12371 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/axe -------------------------------------------- How do I make sure that inetorgperson comes up as the default object class without having to add it manually . Also is it possible to modify the object class of a record that has already been added to the database ? Please let me know . Thanks .

1 0

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 24 Feb '08

24 Feb '08

Dear Tony, Thanks for your comment..I played more with my ldap and here is what I found out.. If a user in in both /etc/passwd and ldap directory with the same password, linux authentication is used. However, if user etc/passwd is different than the ldap passwd, depending on what passwd is used during the login, appropriate authentication is used(i.e both passwords work just fine) However, here is what I still dont understand: if a user is only in etc/passwd, after executing su user, it seems that there are still some activities in the ldap site. fir instance when I do su karan where karan ONLY exists in the etc/passwd, I get the following in the logfile(/vat/log/local4) Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 fd=20 ACCEPT from IP=127.0.0.1:33277 (IP=0.0.0.0:389) Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 BIND dn="" method=128 Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 RESULT tag=97 err=0 text= Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=502))" Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 22 14:54:03 gamaalien slapd[7896]: <= bdb_equality_candidates: (uidNumber) not indexed Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 ACCEPT from IP=127.0.0.1:33278 (IP=0.0.0.0:389) Feb 22 14:55:04 gamaalien slapd[7896]: conn=42 fd=20 closed (connection lost) Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 BIND dn="" method=128 Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 RESULT tag=97 err=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=karan))" Feb 22 14:55:04 gamaalien slapd[7896]: <= bdb_equality_candidates: (uid) not indexed Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=karan))" Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH attr=gidNumber Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 closed (connection lost) do you know whats going on here? if linux authentication is used and karan is not in the ldap directory then why ldap is called? thanks for your help ----- Original Message ---- From: Tony Earnshaw <tonni(a)hetnet.nl> To: openldap-technical(a)openldap.org Sent: Friday, February 22, 2008 2:12:36 AM Subject: Re: using LDAP as central authentication unit Hamidreza Hamedtoolloei skrev, on 22-02-2008 09:49: > http://www.linux.com/articles/113567 describes the "sufficient" modifier > as follows: > If a sufficient module succeeds, it is enough to satisfy the > requirements of sufficient modules in that realm for use of the service, > and modules below it that are also listed as 'sufficient' are not invoked. > > given the following /etc/pam.d/system.auth file: > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > I think LDAP is used ONLY if the unix authentication fails?? right??? am > I missing something??? I don't suppose that, reading the article you quote, you're missing anything, but I've just played around with my test machine's FC6 /etc/pam.d/system-auth and found the following for the auth service: 1: Where a user is in both LDAP and /etc/{passwd,shadow} only the pam_unix.so password counts, even though the position of the pam_unix.so and pam_ldap.so lines is swapped. Changing the LDAP entry's password doesn't make any difference to pam; 2: Where a user is only in LDAP the pam_unix.so auth entry is ignored, whatever its position; 3: Commenting out the pam_unix.so line results in all login attempts by everyone to be invalid. So not even root can log in any longer. So I'd say that the stuff is far more complicated than the author states. Perhaps people are thinking about the nsswitch.conf entries. However, a recent thread in the pam_ldap mailing list hinted that things might be different for systems on which Padl's CNS pam_ldap library is installed, rather than Red Hat's version - as on my machines. To avoid completely "missing something" I suggest you try it out for yourself ;) Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

4 3

Limit daily query number
by cariparo＠libero.it 24 Feb '08

24 Feb '08

Hi All, I have a OpenLDAP implementation with anonymous read access enabled, so I want to limit the numbers of the query that each computer (IP) can perform on a specified time windows. For example: allow each IP to perform max 300 queries per day. I have a huge amount of users, and a database of abt 1M objects. Can anyone give me a suggestion, i can't find any specific setting. Thanks Carip

2 2

extend remote server with local (subordinate) entries
by Oren Laadan 24 Feb '08

24 Feb '08

Hi, I use the configuration below to extend a given remote LDAP database with a relatively small number of local records. Specifically, the local database adds new (posix) groups and new autofs maps, adding to the ones already given by the remote server. (see the original thread at: http://www.openldap.org/lists/openldap-software/200802/msg00128.html) > ... > moduleload back_ldap > moduleload back_bdb > ... > backend bdb > backend ldap > ... > # bdb backend, configured as a subordinate of the main server > database bdb > suffix "dc=SUB,dc=EXAMPLE,dc=COM" > readonly on > subordinate > ... > # ldap backend, with the right DN base > database ldap > lastmod off > suffix "dc=EXAMPLE,dc=COM" > uri "ldaps://REMOTE_SERVER/" > ... > The extension of groups works like charm, without any modification to the clients' setup (/etc/ldap/ldap.conf). However, the additional maps aren't observed by the autofs-ldap method and are therefore not working for users. Running on Debian (unstable), autofs-ldap-auto-master gives: /home ldap:ou=auto.home,ou=AutoFS,dc=EXANPLE,dc=COM /proj ldap:ou=auto.proj,ou=AutoFS,dc=EXAMPLE,dc=COM A remote LDAP entry for /proj looks like: dn: cn=blast,ou=auto.proj,ou=AutoFS,dc=EXAMPLE,dc=COM objectClass: automount cn: blast automountInformation: -rw blast:/export/blast A local (added to the subtree SUB) entry for /proj looks like: dn: cn=extra,ou=auto.proj,ou=AutoFS,dc=SUB,dc=EXAMPLE,dc=COM objectClass: automount cn: extra automountInformation: -rw extra:/export/extra Problem is, that autofs only "sees" entries of the first type; if I run automount manually (prepending "dc=SUB," to the default way it is otherwise invoked): /usr/sbin/automount --pid-file=/var/run/autofs/_proj.pid --timeout=300 /proj ldap ou=auto.proj,ou=AutoFS,dc=SUB,dc=EXAMPLE,dc=COM then I can make it see the second type, but then it ignores the first type. Note that the same technique works for adding more groups. So I suspect the problem is that somehow autofs does not consider subtrees as valid results for its query to ldap. Any ideas how to fix this ? (or perhaps suggestion how to arrange the entire setup differently and still have the same end result). Thanks, Oren.

2 3

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 22 Feb '08

22 Feb '08

Dear Tony, Thanks for your prompt response.. http://www.linux.com/articles/113567 describes the "sufficient" modifier as follows: If a sufficient module succeeds, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and modules below it that are also listed as 'sufficient' are not invoked. given the following /etc/pam.d/system.auth file: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so I think LDAP is used ONLY if the unix authentication fails?? right??? am I missing something??? ----- Original Message ---- From: Tony Earnshaw <tonni(a)hetnet.nl> To: openldap-technical(a)openldap.org Sent: Thursday, February 21, 2008 9:58:57 PM Subject: Re: using LDAP as central authentication unit Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21: > I've followed one of the online instructions on how to configure my > system to use ldap as the user authentication mechanism. below is > partial content of my /etc/pam.d/system.auth file: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > looking at some online resources about how pam works, it seems that unix > authentication is being applied first, and only if it fails, ldap > authentication is applied. Am I correct here? In other words if all the > users are still in /etc/shadow and /etc/passd files.... ldap is NOT > being used for authentication. If I delete the users from /etc/passwd... > then LDAP is used.... right>? No, all the modules will be used, but the way they are treated depends on the modifiers {sufficient,required,requisite} and {use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10 where they've been obsoleted). Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

3 2

OpenLdap unstable on RHEL5 & Centos5 with db4
by Rohit B 22 Feb '08

22 Feb '08

Hello List members I am running Openldap and db4 [root@build ~]# slapd -V @(#) $OpenLDAP: slapd 2.3.27 (Mar 14 2007 17:44:50) $ mockbuild@builder4.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd DB4 vcersion db4-4.3.29-9 We have a address book containing around 500 to 2000 addresses stored in it. Every thing works fine for some days and then it crashes. I see nothing in the logs. We are using a custom schema attached with this email. Before we upgraded from the default openldap in centos4.4 to Centos5.0 it was working perfectly, is there any compatibility issues with the schema & the new package. -- Regards, Rohit Baisakhiya attributetype ( 2.5.4.7.1 NAME ( 'location' 'subdomain' ) SUP name ) attributetype ( 2.5.4.7.2 NAME ( 'proxyflag' ) SUP name ) attributetype ( 2.5.4.7.3 NAME ( 'mailflag' ) SUP name ) attributetype ( 2.5.4.7.4 NAME ( 'incomingflag' ) SUP name ) attributetype ( 2.5.4.7.5 NAME ( 'outgoingflag' ) SUP name ) attributetype ( 2.5.4.7.6 NAME ( 'inmailsize' ) SUP name ) attributetype ( 2.5.4.7.7 NAME ( 'outmailsize' ) SUP name ) attributetype ( 2.5.4.7.8 NAME ( 'mailquota' ) SUP name ) attributetype ( 2.5.4.7.9 NAME ( 'globalquota' ) SUP name ) attributetype ( 2.5.4.7.10 NAME ( 'memOfGroup' ) SUP name ) attributetype ( 2.5.4.7.11 NAME ( 'autoDeleteMail' ) SUP name ) #attributetype ( 2.5.4.7.11 NAME ( 'mailsOlderThan' ) SUP name ) #attributetype ( 2.5.4.7.12 NAME ('lastModifiedTime') SUP name) #attributetype( 0.9.2342.19200300.100.1.23 NAME ('lastModifiedTime') SUP name) #attributetype ( 2.5.4.7.10 NAME 'member' SUP distinguishedName ) #attributetype ( 2.5.4.7.11 NAME 'owner' SUP distinguishedName ) #attributetype ( 2.5.4.7.12 NAME 'seeAlso' SUP distinguishedName ) #attributetype ( 2.5.4.7.13 NAME ( 'ou' 'organizationalUnitName' ) SUP name ) #attributetype ( 2.5.4.7.14 NAME ( 'o' 'organizationName' ) SUP name ) #attributetype ( 2.5.4.7.15 NAME 'description' # EQUALITY caseIgnoreMatch # SUBSTR caseIgnoreSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) #attributetype ( 2.5.4.7.16 NAME 'businessCategory' # EQUALITY caseIgnoreMatch # SUBSTR caseIgnoreSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) # # Netcore User objectclass # objectclass ( 1.3.6.1.4.1.4203.1.4.1.1 NAME ( 'Netcore' 'Netserv' ) DESC 'Netcore Netserv Ldap' SUP ( posixAccount $ inetLocalMailRecipient $ inetOrgPerson ) MAY ( location $ proxyflag $ mailflag $ incomingflag $ outgoingflag $ inmailsize $ outmailsize $ mailquota $ globalquota $ acctFlags $ description $ homeDrive $ kickoffTime $ lmPassword $ logoffTime $ logonTime $ ntPassword $ primaryGroupID $ profilePath $ pwdCanChange $ pwdLastSet $ pwdMustChange $ scriptPath $ smbHome $ rid $ ou $ memOfGroup $ autoDeleteMail $ calFBURL ) ) #attributetype (2.16.840.1.113730.3.1.13 #Conflicting hence changed this attributetype (2.16.840.1.113730.3.1.14 NAME 'mailAlternateAddress' DESC 'alternate RFC822 email addresses used to reach this person' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.23 NAME 'mgrpAllowedDomain' DESC 'allowed domains for sender of mail to group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.25 NAME 'mgrpDeliverTo' DESC 'LDAP Search URL to describe group membership' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) attributetype (2.16.840.1.113730.3.1.26 NAME 'mgrpErrorsTo' DESC 'person or group to receive error messages for this group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype (2.16.840.1.113730.3.1.28 NAME 'mgrpRejectAction' DESC 'The action to be taken for a rejected message to the group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.29 NAME 'mgrpRejectText' DESC 'Text to be returned with a rejected message' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'RFC822 mail address of email only member of group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # # Netcore Group objectclass # ###### object class modified Manoj for version 2.1 of openldap ####### objectclass (2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top STRUCTURAL MUST ( uid $ mail $ cn ) MAY ( mailAlternateAddress $ mailHost $ mgrpAllowedDomain $ mgrpDeliverTo $ mgrpRejectAction $ mgrpErrorsTo $ mgrpRFC822MailMember $ mgrpRejectText $ businessCategory $ seeAlso $ owner $ ou $ o $ description $ uniqueMember $ mailquota) )

3 6

me
by Aravind Arjunan 21 Feb '08

21 Feb '08

I had configured ldap in server-client I had created the ldif file also and added that file to the ldap database. It was working fine yesterday,but when i started the machine today and when i restarted the ldap service the stopping ldap is always coming failed. When starting ldap is always coming start,when i check by *service ldap status* it is showing slapd is stopped. [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK * ] [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK * ] [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK *] [*root@testnode ~]# service ldap status slapd is stopped [root@testnode ~]# *

1 0

using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 21 Feb '08

21 Feb '08

Hello, I've followed one of the online instructions on how to configure my system to use ldap as the user authentication mechanism. below is partial content of my /etc/pam.d/system.auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so looking at some online resources about how pam works, it seems that unix authentication is being applied first, and only if it fails, ldap authentication is applied. Am I correct here? In other words if all the users are still in /etc/shadow and /etc/passd files.... ldap is NOT being used for authentication. If I delete the users from /etc/passwd... then LDAP is used.... right>? thx, ~Hamid ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 2

query regarding user names and passwords
by anish patil 21 Feb '08

21 Feb '08

Hi All, I want to add usr names which are not in ASCII characters using ldapadd command . I tried it on RHEL 4.4 , it giving me following error <error> adding new entry "uid=ああああ,ou=People,dc=avaya,dc=com" ldap_add: Invalid DN syntax (34) additional info: invalid DN </error> Systems locale set:-*LANG=ja_JP.SJIS* i googled it i found this http://www.openldap.org/lists/openldap-software/200308/msg00570.html But this post is in 2003 So i wanted to know is it LDAP's limitation ? Thanks in advance -- Anish Patil

3 5

Red Hat RPMs?
by Gavin Henry 21 Feb '08

21 Feb '08

BTW, has anyone over the history of the "well-known" broken Red Hat RPMs raised bug reports etc. and had any response? I'm not sure what effort has been put into this and whether it's worth picking it up again? As most users first experience of OpenLDAP is via the RH and Fedora RPMs, I think some effort (if it's not a waste of time again) should be put into trying to raise our concerns, as it harms the project in the long run. Currently we have SuSE, Mandriva and Debian guys on the lists who care (you all know who you are ;-) ). Anyone from Red Hat or Fedora here? Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

5 6

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical