Hello as usuairo admnistador could have a read-only
2009/4/4 openldap-technical-request@openldap.org
Send openldap-technical mailing list submissions to openldap-technical@openldap.org
To subscribe or unsubscribe via the World Wide Web, visit http://www.openldap.org/lists/mm/listinfo/openldap-technical or, via email, send a message with subject or body 'help' to openldap-technical-request@openldap.org
You can reach the person managing the list at openldap-technical-owner@openldap.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of openldap-technical digest..."
Send openldap-technical mailing list submissions to openldap-technical@openldap.org When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..."
Today's Topics:
- smbk5pwd for openldap 2.3 (Daniel Spannbauer)
- Unable to auth on replica (Marcio Merlone)
- How to Secure openLdap nss_ldap (Matthew.GARRETT@external.total.com)
- TLS/Certificate Problem Openldap (Steffen Knauf)
Message: 1 Date: Thu, 02 Apr 2009 12:02:17 +0200 From: Daniel Spannbauer ds@marco.de Subject: smbk5pwd for openldap 2.3 To: openldap-technical@openldap.org Message-ID: 49D48D29.5010809@marco.de Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Hello,
I'm using the distro opensuse 10.2. I'm missing the module smbk5pwd. Can I build this module for openldap 2.3?
Regards
Daniel
-- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds@marco.de Gesch?ftsf?hrer Martin Reuter HRB 171775 Amtsgericht M?nchen
Message: 2 Date: Thu, 02 Apr 2009 09:10:32 -0300 From: Marcio Merlone marcio.merlone@a1.ind.br Subject: Unable to auth on replica To: OpenLDAP openldap-technical@openldap.org Message-ID: 49D4AB38.7070403@a1.ind.br Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello,
I have set two Ubuntu 8.04 servers running OpenLDAP 2.4.9-0ubuntu0.8.04.2. I have set replication as per the docs. On the slave, I start with an empty /var/lib/ldap, and when I start the replica the dir is populated with the files, I am able to anon search, etc. Great, except my clients are able to auth on the provider but not on the replica.
Both provider and consumer have the same acls, and the diff from one conf to another is:
--- slapd.conf 2009-04-02 09:04:42.000000000 -0300 +++ slapd.conf.replica 2009-04-02 09:05:47.000000000 -0300 @@ -60,19 +61,13 @@ # 'database' directive occurs database hdb
-overlay syncprov -syncprov-checkpoint 100 10 -syncprov-sessionlog 100
-# Let the replica DN have limitless searches -limits dn.exact="cn=syncrepl,dc=a1,dc=ind" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# The base of your directory in database #1 suffix "dc=a1,dc=ind"
# rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. -# rootdn "cn=admin,dc=a1,dc=ind" +rootdn "cn=admin,dc=a1,dc=ind"
# Where the database file are physically stored for database #1 directory "/var/lib/ldap" @@ -112,6 +108,21 @@ # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog
+syncrepl rid=3
- provider=ldap://192.168.0.201:389
- type=refreshAndPersist
- interval=01:00:00:00
- searchbase="dc=a1,dc=ind"
- scope=sub
- schemachecking=off
- bindmethod=simple
- binddn="cn=syncrepl,dc=a1,dc=ind"
- credentials=xxxxx
+# updateref ldap://192.168.0.201:389
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the
Any idea on what could be wrong? Thanks in advance for any hint or help.
-- Marcio Merlone
Message: 3 Date: Thu, 2 Apr 2009 14:43:12 +0100 From: Matthew.GARRETT@external.total.com Subject: How to Secure openLdap nss_ldap To: openldap-technical@openldap.org Message-ID: < OF428EEFBC.05C17E8A-ON8025758C.004897FD-8025758C.004B5DD3@total.com> Content-Type: text/plain; charset="utf-8"
Folks
Note sure if this is the right list ?
I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password Authentication, which is going to be a Replacement for NIS (YP) All Normal access works fine and users can login , access automount maps etc
However there are 2 types of Ldap binding
Simple TLS
At the moment any body can run the following ldapsearch -x
I would like to try and disable Simple Binding But if I select "disallow bind_anon" in slapd.conf file Things start to break like authentication stops working. /var/log/messages
Apr 1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact LDAP server
How do I get a Machine to authenticate to Ldap ?
I think the problem lies with nss_ldap ? When I add the following line to /etc/ldap.conf
ssl start_tls
I start to get the following error's Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error Apr 2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local user=mgarrett Apr 2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication succeeds for'mgarrett' (mgarrett@UK.AD.EP.CORP.LOCAL)
/etc/ldap.conf
base dc=unix,dc=total bind_timelimit 120 idle_timelimit 3600 ldap_version 3 pam_password md5 scope sub ssl start_tls timelimit 120 tls_cacertdir /etc/openldap/cacerts tls_checkpeer no
Can any body point me in the right direction
Thanks
Matthew
Server is RedHat 5.3 Clients are RedHat 4.7
Copy of slapd.conf pwcheck_method: saslauthd mech_list: gssapi sizelimit unlimited
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/krb5-kdc.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapd.pem TLSCertificateKeyFile /etc/openldap/slapd.key
## security - other directives ## prevents anonymous access to ## any connection #disallow bind_anon ## forces a bind operation before DIT access #require bind ## Use of reads on ldaps only port forces use ## of TLS/SSL but not a minimum value ## this directive forces a minimum value #security simple_bind=128
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs # This leaves "username/admin" principals untouched sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=unix,dc=total # This should be a ^ plus, not a star, but slapd won't accept it
# Default read access for everything else except anonymous users who have no access but does not work. ! access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read
#by anonymous noneMatthew Garrett Senior IS Technical Analyst Tel: 01224 297889 Fax: 01224 296806 Email: Matthew.Garrett@total.com Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.