Re: Integration OpenLDAP - MS Active Directory
Veloso Varas, Sebastián (TECH-IT) wrote: I would like to know if any of you. has had experience of integration of AD with LDAP. My idea is to have a core LDAP and AD users consume. Not sure what you really want. If you want simple replication from OpenLDAP to AD this is not possible out-of-the-box. I have a concern would be the root domain and AD ldap.sitio.int eg ad.sitio.int would not? LDAP (sitio.int) --- AD (sitio.int) You're mixing AD and pure LDAPv3 terms here. Probably because with AD the DNS domain name and the LDAP naming context are tightly coupled. Anyway this is the least of the problem. I am implementing this scheme for a unified authentication issue, working through cross-platform and I must be based on an LDAP. What authentication mechanism do you want to use. Simple bind with password? Kerberos (SASL/GSSAPI)? Etc You should really try to explain in more detail what you want to achieve. Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com
Re: More on dynamic group searches
On 05/24/10 03:34 PM, Ian Collins wrote: On 05/24/10 01:11 PM, Howard Chu wrote: What have you done to test it? As the README says, it operates when a write operation occurs that may affect the membership of a given group. Yes it does, I was was using the wrong search (searching on uniqueMember, not member). The README states the member-ad part of the olcAGattrSet is fixed, this appears to be the case as I can't get uniqueMember to work. So, going back to my original problem, is there anyway OpenLDAP can support this search with dynamic/auto groups? filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber autogroup would work if the search were changed to: filter=((objectClass=posixGroup)(member=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber But I am unable to modify these searches as they are from third party applications which assume group members are identified by uniqueMember rather than member. -- Ian.
Re: use of server-side sorting and virtual list view controls blocks slapd
Hi Dieter! We tried Sizelimit unlimited In slapd.conf, but the effect is the same, slapd answers size limit exceeded. The search request command is /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children -E!sss=sncertnr:2.5.13.3 -E!vlv=0/9/0/1:objectclass=SN-ISIS-MTT-MainCert objectclass=* sncertnr Besides this effect we only have 10 records stored in the LDAP database ;-) For the supported features see the following list: openl...@ocsp-openldap24:~/openldap-snacc-2.3.6/c-lib /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b -s base + # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 The OID 1.3.6.1.4.1.4203.666.8.1 is missing here but this OID is marked as kind of experimental. Why do I need this feature and how can I enable this? Regards, Hartmut
Re: Q: status of component matching?
Am Tue, 25 May 2010 15:51:40 +0200
schrieb Lehnert, Hartmut hartmut.lehn...@secunet.com:
Hi Dieter!
Thank you very much! I used CFLAGS=-DLDAP_COMP_MATCH when configuring
the slapd and now it's able to load our component match module.
But some problems are still left: When running the following LDAP
search command using component matching filter
/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children
(userCertificate:componentFilterMatch:=item:{ component
\toBeSigned.serialNumber\, rule integerMatch, value 449 })
against slapd it terminates:
/home/openldap/openldap-2.4.21-install/libexec/slapd: symbol lookup
error:
/home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.so.0:
undefined symbol: GenBufFreeBuf
In the source code of both snacc and component match module no
definition for function GenBufFreeBuf can be found. Where can I get
it?
The function is called in comp_match/init.c, could you please build
slapd with debugging symbols enabled (-g) and when installing don't
strip, that is 'make install STRIP= ', If possible create a core dump
and run core and slapd in gdb in order to create a backtrace?
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
RE: ppolicy master/slave issue (currently forward ppolicy updates OR authenticate)
Haven't heard anything on this yet...
If someone could point me to some documentation, or better, graphic
illustration, of how OpenLDAP 'works', perhaps I can figure this out on my own.
Thanks,
- chris
-Original Message-
From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, May 06, 2010 11:45 AM
To: openldap-technical@openldap.org
Subject: RE: ppolicy master/slave issue (currently forward ppolicy updates OR
authenticate)
Anyone?
I can't be the only person trying to implement ppolicy_forward_updates and have
user's actually authenticate...
I've been poring over the documentation:
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
http://www.symas.com/blog/?page_id=66
http://www.openldap.org/software/man.cgi?query=slapo-ppolicysektion=5apropos=0manpath=OpenLDAP+2.4-Release
Which indicates: This setting is only useful on a replication consumer, and
also requires the updateref setting and chain overlay to be appropriately
configured.
I tried chain-rebind-as-user and that didn't seem to help (you can see it in
the configs below) - at least, how I tried it. Perhaps I misunderstand
something (I'm hoping at least)
I'm totally at a loss here...
- chris
-Original Message-
From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Monday, May 03, 2010 9:07 AM
To: openldap-technical@openldap.org
Subject: RE: ppolicy master/slave issue
Really, I think this comes down to how to:
* ppolicy_forward_updates requiring priviledges
* authentication NOT requiring priviledges
How do I split the two? Let ppolicy forward updates, which requires
priviledges, and NOT specify any authentication while user's are authenticating?
Thanks,
- chris
-Original Message-
From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, April 29, 2010 2:55 PM
To: openldap-technical@openldap.org
Subject: ppolicy master/slave issue
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the
failures, etc, get passed to the master to get replicated to the slaves.
I understand this would be done using the ppolicy option:
ppolicy_forward_updates
Authentication:
Actually authenticate (more later).
To the problem:
---
When I leave the section in the chain bit of SLAVE slapd.conf below marked by
lines intact (which bind as root):
* ppolicy_forward_updates seems to work great - the master shows matching
pwdFailureTime attributes.
* Regardless of password entered, you get a shell. User/bad password = get a
shell! This being a problem should be obvious.
I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf:
* authentication actually requires authentication (bad password = no
authentication)
* ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue -
however, just to be sure, I've pasted below 'bare' versions of the:
* a master slapd.conf (sans schema includes)
* a slave slapd.conf (sans schema includes)
* /etc/ldap.conf (using slave)
* /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are
NOT the same)
* /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all
types).
Thanks for any help (and, likely, pointing out any 'stupids' below),
- chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
--
serverID1
loglevel0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile/usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
databasebdb
suffix dc=example,dc=net
rootdn cn=root,dc=example,dc=net
rootpw secret
directory /usr/local/var/openldap-data
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
Re: use of server-side sorting and virtual list view controls blocks slapd
Am Tue, 25 May 2010 16:16:52 +0200 hi Hartmut, schrieb Lehnert, Hartmut hartmut.lehn...@secunet.com: Hi Dieter! We tried Sizelimit unlimited Limits have to be defined on both sides server side and client side. In slapd.conf, but the effect is the same, slapd answers size limit exceeded. The search request command is /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children -E!sss=sncertnr:2.5.13.3 -E!vlv=0/9/0/1:objectclass=SN-ISIS-MTT-MainCert objectclass=* sncertnr Is the ordering matching rule caseIgnoreOrderingMatch (oid 2.5.13.3) correct for sncertnr attribute type? Why are you adding objectclass0* to your search string? Besides this effect we only have 10 records stored in the LDAP database ;-) OK, then something weird is happening, could you run slapd in debugging mode? For the supported features see the following list: openl...@ocsp-openldap24:~/openldap-snacc-2.3.6/c-lib /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b -s base + [...] The OID 1.3.6.1.4.1.4203.666.8.1 is missing here but this OID is marked as kind of experimental. Why do I need this feature and how can I enable this? Your search scope is defined as '-s children', the oid of this feature is the above mentioned oid. Your compiled slapd version does not understand -s children, thus applying default setting of -s sub, you probably should apply -s one. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Ciao, Michael.
Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Yes, if I understand Quanah's point correctly, what he wants to have is already provided by rfc4525 + rfc4527: increment with pre- or post-read, to atomically increment and read a (central) counter. p.
Summary of dynamic groups
Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. From the above, I don't see a way to use OpenLDAP in an existing environment where dynamic groups are searched for by members and don't list their members with the 'member' attribute. Please tell me I'm wrong (and how)! Thanks, -- Ian.
Re: Summary of dynamic groups
Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. However, uniqueMember is a broken attribute type and should not be used by any LDAP software. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway. uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context. From the above, I don't see a way to use OpenLDAP in an existing environment where dynamic groups are searched for by members and don't list their members with the 'member' attribute. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Summary of dynamic groups
On 05/26/10 02:40 PM, Howard Chu wrote: Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. No according to the read me: The value member-ad is the name of the attributeDescription that specifies the member attribute. User modification of this attribute is disabled for consistency. I could only et it to work with 'member'. Even if I specified 'uniqueMember', 'member' was inserted. However, uniqueMember is a broken attribute type and should not be used by any LDAP software. But it is and I'm stuck with supporting third party applications that use it. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway. But it is and I'm stuck with supporting old applications that use it. uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context. While I agree with the theory, it doesn't help when adding OpenLDAP into an existing network. -- Ian.
Re: Summary of dynamic groups
Ian Collins wrote: On 05/26/10 02:40 PM, Howard Chu wrote: Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. No according to the read me: The valuemember-ad is the name of the attributeDescription that specifies the member attribute. User modification of this attribute is disabled for consistency. I could only et it to work with 'member'. Even if I specified 'uniqueMember', 'member' was inserted. Then there's something else interfering in your config. There is nothing in the autogroup code that gives preference to the member attribute. It uses the attribute type you configure, and nothing else. Of course, the objectclass you use must also allow the attribute type you chose. The text you quote above merely states that whatever attribute you choose will no longer be user-modifiable; the member list will always contain only the dynamically-generated values. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
