Re: Integration OpenLDAP - MS Active Directory
Veloso Varas, Sebastián (TECH-IT) wrote: I would like to know if any of you. has had experience of integration of AD with LDAP. My idea is to have a core LDAP and AD users consume. Not sure what you really want. If you want simple replication from OpenLDAP to AD this is not possible out-of-the-box. I have a concern would be the root domain and AD ldap.sitio.int eg ad.sitio.int would not? LDAP (sitio.int) --- AD (sitio.int) You're mixing AD and pure LDAPv3 terms here. Probably because with AD the DNS domain name and the LDAP naming context are tightly coupled. Anyway this is the least of the problem. I am implementing this scheme for a unified authentication issue, working through cross-platform and I must be based on an LDAP. What authentication mechanism do you want to use. Simple bind with password? Kerberos (SASL/GSSAPI)? Etc You should really try to explain in more detail what you want to achieve. Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com
Re: More on dynamic group searches
On 05/24/10 03:34 PM, Ian Collins wrote: On 05/24/10 01:11 PM, Howard Chu wrote: What have you done to test it? As the README says, it operates when a write operation occurs that may affect the membership of a given group. Yes it does, I was was using the wrong search (searching on uniqueMember, not member). The README states the member-ad part of the olcAGattrSet is fixed, this appears to be the case as I can't get uniqueMember to work. So, going back to my original problem, is there anyway OpenLDAP can support this search with dynamic/auto groups? filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber autogroup would work if the search were changed to: filter=((objectClass=posixGroup)(member=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber But I am unable to modify these searches as they are from third party applications which assume group members are identified by uniqueMember rather than member. -- Ian.
Re: use of server-side sorting and virtual list view controls blocks slapd
Hi Dieter! We tried Sizelimit unlimited In slapd.conf, but the effect is the same, slapd answers size limit exceeded. The search request command is /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children -E!sss=sncertnr:2.5.13.3 -E!vlv=0/9/0/1:objectclass=SN-ISIS-MTT-MainCert objectclass=* sncertnr Besides this effect we only have 10 records stored in the LDAP database ;-) For the supported features see the following list: openl...@ocsp-openldap24:~/openldap-snacc-2.3.6/c-lib /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b -s base + # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 The OID 1.3.6.1.4.1.4203.666.8.1 is missing here but this OID is marked as kind of experimental. Why do I need this feature and how can I enable this? Regards, Hartmut
Re: Q: status of component matching?
Am Tue, 25 May 2010 15:51:40 +0200 schrieb Lehnert, Hartmut hartmut.lehn...@secunet.com: Hi Dieter! Thank you very much! I used CFLAGS=-DLDAP_COMP_MATCH when configuring the slapd and now it's able to load our component match module. But some problems are still left: When running the following LDAP search command using component matching filter /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children (userCertificate:componentFilterMatch:=item:{ component \toBeSigned.serialNumber\, rule integerMatch, value 449 }) against slapd it terminates: /home/openldap/openldap-2.4.21-install/libexec/slapd: symbol lookup error: /home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.so.0: undefined symbol: GenBufFreeBuf In the source code of both snacc and component match module no definition for function GenBufFreeBuf can be found. Where can I get it? The function is called in comp_match/init.c, could you please build slapd with debugging symbols enabled (-g) and when installing don't strip, that is 'make install STRIP= ', If possible create a core dump and run core and slapd in gdb in order to create a backtrace? -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: ppolicy master/slave issue (currently forward ppolicy updates OR authenticate)
Haven't heard anything on this yet... If someone could point me to some documentation, or better, graphic illustration, of how OpenLDAP 'works', perhaps I can figure this out on my own. Thanks, - chris -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of Chris Jacobs Sent: Thursday, May 06, 2010 11:45 AM To: openldap-technical@openldap.org Subject: RE: ppolicy master/slave issue (currently forward ppolicy updates OR authenticate) Anyone? I can't be the only person trying to implement ppolicy_forward_updates and have user's actually authenticate... I've been poring over the documentation: http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies http://www.symas.com/blog/?page_id=66 http://www.openldap.org/software/man.cgi?query=slapo-ppolicysektion=5apropos=0manpath=OpenLDAP+2.4-Release Which indicates: This setting is only useful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured. I tried chain-rebind-as-user and that didn't seem to help (you can see it in the configs below) - at least, how I tried it. Perhaps I misunderstand something (I'm hoping at least) I'm totally at a loss here... - chris -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of Chris Jacobs Sent: Monday, May 03, 2010 9:07 AM To: openldap-technical@openldap.org Subject: RE: ppolicy master/slave issue Really, I think this comes down to how to: * ppolicy_forward_updates requiring priviledges * authentication NOT requiring priviledges How do I split the two? Let ppolicy forward updates, which requires priviledges, and NOT specify any authentication while user's are authenticating? Thanks, - chris -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of Chris Jacobs Sent: Thursday, April 29, 2010 2:55 PM To: openldap-technical@openldap.org Subject: ppolicy master/slave issue Hello again, I'm having an odd issue with ppolicy and my master/slave config. First, my goals General use: Slave handles all reads locally. Writes get forwarded to the master by the slave. Password policy: When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves. I understand this would be done using the ppolicy option: ppolicy_forward_updates Authentication: Actually authenticate (more later). To the problem: --- When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root): * ppolicy_forward_updates seems to work great - the master shows matching pwdFailureTime attributes. * Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious. I suspect that's due to the chain overlay section... If I comment out the lines in the SLAVE slapd.conf: * authentication actually requires authentication (bad password = no authentication) * ppolicy_forward_updates don't work (no updates to master) It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the: * a master slapd.conf (sans schema includes) * a slave slapd.conf (sans schema includes) * /etc/ldap.conf (using slave) * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same) * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types). Thanks for any help (and, likely, pointing out any 'stupids' below), - chris PS: Feel free to critique - you won't hurt my feelings. MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over) -- serverID1 loglevel0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile/usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile/etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited databasebdb suffix dc=example,dc=net rootdn cn=root,dc=example,dc=net rootpw secret directory /usr/local/var/openldap-data include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq
Re: use of server-side sorting and virtual list view controls blocks slapd
Am Tue, 25 May 2010 16:16:52 +0200 hi Hartmut, schrieb Lehnert, Hartmut hartmut.lehn...@secunet.com: Hi Dieter! We tried Sizelimit unlimited Limits have to be defined on both sides server side and client side. In slapd.conf, but the effect is the same, slapd answers size limit exceeded. The search request command is /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children -E!sss=sncertnr:2.5.13.3 -E!vlv=0/9/0/1:objectclass=SN-ISIS-MTT-MainCert objectclass=* sncertnr Is the ordering matching rule caseIgnoreOrderingMatch (oid 2.5.13.3) correct for sncertnr attribute type? Why are you adding objectclass0* to your search string? Besides this effect we only have 10 records stored in the LDAP database ;-) OK, then something weird is happening, could you run slapd in debugging mode? For the supported features see the following list: openl...@ocsp-openldap24:~/openldap-snacc-2.3.6/c-lib /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b -s base + [...] The OID 1.3.6.1.4.1.4203.666.8.1 is missing here but this OID is marked as kind of experimental. Why do I need this feature and how can I enable this? Your search scope is defined as '-s children', the oid of this feature is the above mentioned oid. Your compiled slapd version does not understand -s children, thus applying default setting of -s sub, you probably should apply -s one. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Ciao, Michael.
Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Yes, if I understand Quanah's point correctly, what he wants to have is already provided by rfc4525 + rfc4527: increment with pre- or post-read, to atomically increment and read a (central) counter. p.
Summary of dynamic groups
Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. From the above, I don't see a way to use OpenLDAP in an existing environment where dynamic groups are searched for by members and don't list their members with the 'member' attribute. Please tell me I'm wrong (and how)! Thanks, -- Ian.
Re: Summary of dynamic groups
Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. However, uniqueMember is a broken attribute type and should not be used by any LDAP software. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway. uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context. From the above, I don't see a way to use OpenLDAP in an existing environment where dynamic groups are searched for by members and don't list their members with the 'member' attribute. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Summary of dynamic groups
On 05/26/10 02:40 PM, Howard Chu wrote: Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. No according to the read me: The value member-ad is the name of the attributeDescription that specifies the member attribute. User modification of this attribute is disabled for consistency. I could only et it to work with 'member'. Even if I specified 'uniqueMember', 'member' was inserted. However, uniqueMember is a broken attribute type and should not be used by any LDAP software. But it is and I'm stuck with supporting third party applications that use it. - memberof works well for reverse group management, including group dn in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'. POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway. But it is and I'm stuck with supporting old applications that use it. uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context. While I agree with the theory, it doesn't help when adding OpenLDAP into an existing network. -- Ian.
Re: Summary of dynamic groups
Ian Collins wrote: On 05/26/10 02:40 PM, Howard Chu wrote: Ian Collins wrote: Hello again, My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations. My current understanding is as follows: There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof. - dynlist works well for including members specified in a URL to the result of a search on a group. The dynamic members can not be included in a search filter. - autogroup works well for including members specified in a URL to the result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use. That's false, you can configure it to use any attribute type. No according to the read me: The valuemember-ad is the name of the attributeDescription that specifies the member attribute. User modification of this attribute is disabled for consistency. I could only et it to work with 'member'. Even if I specified 'uniqueMember', 'member' was inserted. Then there's something else interfering in your config. There is nothing in the autogroup code that gives preference to the member attribute. It uses the attribute type you configure, and nothing else. Of course, the objectclass you use must also allow the attribute type you chose. The text you quote above merely states that whatever attribute you choose will no longer be user-modifiable; the member list will always contain only the dynamically-generated values. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/