Interdomain authentication
Hello everyone, good, someone could tell me if there is a way to configure a client to openLDAP see an entry in the local database and if this entry does not exist, the server performs the query on another remote server? I used the chain module for this purpose, but even if the entry exists in the local base, the query is fired to the remote server. I need the server only see the external base case the entry does not exist in the local base. The goal is to build a scenario for user authentication inter-domains. a user subdomain: dc=subdomain-A,dc=domain can authenticate through dc=subdomain-B,dc=domain I thought at first replicate data subdomain A for the subdomain B and vice versa, but I believe it would be more interesting the server be able to perform the query directly in the external server. Does anyone have an idea? Thank you. luizmarcelo
Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote: 3. Then I configure the slapd.conf to be like this: authz-policy to sasl-regexp ^uid=([^,]+),.* uid=$1,cn=bjims31,cn=digest-md5,cn=auth database bdb suffix dc=example,dc=com rootdn uid=111,cn=digest-md5,cn=auth 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content: pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5 5. Then I start slapd with command 'slapd -d 1', and run ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is: slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=digest-md5,cn=auth ==slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=1] Failure: no secret in database It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1? You could increase your cyrus debugging to get more information out of syslog: Add an: auth.debug... to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf: log_level: 7 -- Dan White
Re: What DN (user name) I should use for connecting to ldap server?
Chris Jacobs wrote: Sam, You need to specify a DN (that has at least read access). It could be a DN within the scope of the server, or root/manager/etc DN's specified in your slapd.conf (which would give you write access). For example, use the rootdn entry from your slapd.conf: rootdn cn=root,dc=example,dc=net Remember: You /may/ have several accounts with the same name in your LDAP tree - so you need to specify /exactly/ which one. For example, in our implementation, we have subtrees used for authentication for specific systems - and there are CN's that are the same between them and the 'default' user branches. If someone who should have rights to one of the subtrees wants to connect, then can - but they have to specify a DN they know the creds to, and the Base DN they want to use as a Base: DN: cn=DevMgr,dc=dev,dc=subtree,dc=example,dc=net Base DN:dc=dev,dc=subtree,dc=example,dc=net That DN is granted full rights to the tree based at 'Base DN'. It might seem annoying, but 'root' doesn't mean anything specific. Use the full DN. - chris -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of sam Sent: Monday, June 21, 2010 6:42 AM To: openldap-technical@openldap.org Subject: What DN (user name) I should use for connecting to ldap server? Hi, I have ldap server started up in freebsd. I tried to test it with Apache Directory Studio. When I open a New Connection in the Studio, it asks for User name. I entered root as user name, then go for the connection... However I got following error message in ldap log file: Jun 21 23:14:51 hometest slapd[2417]: conn=1005 fd=11 ACCEPT from IP=192.168.1.100:57297 (IP=192.168.1.20:389) Jun 21 23:14:51 hometest slapd[2417]: conn=1005 op=0 do_bind: invalid dn (root) Jun 21 23:14:51 hometest slapd[2417]: conn=1005 op=0 RESULT tag=97 err=34 text=invalid DN Jun 21 23:14:51 hometest slapd[2417]: conn=1005 fd=11 closed (connection lost) What value of DN I should enter in the ldap browser (Apache Directory Studio) in order to connect to the ldap server? I have ldap listening to the following ports: hometest:openldap # netstat -an | egrep '389|636' tcp4 0 0 192.168.1.20.636 *.*LISTEN tcp4 0 0 192.168.1.20.389 *.*LISTEN Your help is much appreciated Thanks Sam This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system. that works, I use cn=Manager,dc=ip6,dc=com,dc=au as defined in my slapd.conf. thanks for everyone's great help. Sam.
Unigueness of RID; changing RID
Dear Folks, I am trying to improve my understanding of the RID before making many large deployments of syncrepl. My understanding is that the replica ID (RID) is unique within one level of [provider] -- [consumer], [consumer],... relationship. Here, an arrow -- represents replication of one directory tree from provider to consumers, and commas represent consumers at the same level, all replicating from the same provider, and the square brackets [...] represent one machine. 1. If there is a relationship like this, where at least one machine acts simultaneously as consumer and provider [provider] -- [consumer+provider] -- [consumer], [consumer],... does the RID need to be unique within all these consumers at all levels in the propagation of replication? 2. What are the consequences of changing the RID on a consumer? Would this inevitably require a dump and restore? Is the RID stored in the data? Where is it stored, besides in the consumer's syncrepl configuration? -- Nick Urbanik http://nicku.org 808-71011 nick.urba...@optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.
Copying trees from one consumer to another
Dear Folks, With slurpd, copying a tree from one slave to another was like this: 1. stop slapd on both slaves. 2. netcat the directory across from one slave to the other. 3. stop slurpd on master 4. edit slurpd.status to make the time and replication number match by copying that for the source to that for the destination slave. 5. start everything back up. My question with syncrepl is: How do I copy the database for a tree from one consumer to another consumer (of the same producer) so that the newly copied replica knows where its replication should continue from? Is the state for replication of the database stored in the contextCSN of the suffix entry? If so, does that mean that with syncrepl, the above operation is reduced to the following three steps? 1. Stop slapd on both consumers. 2. Netcat the database from one to the other. 3. start both consumers. -- Nick Urbanik http://nicku.org 808-71011 nick.urba...@optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.
Configuring slapd.conf-less OpenLDAP
I'm trying to get OpenLDAP up and running on Fedora (12) using the cn=config-based configuration. I've changed /etc/openldap/slapd.d/cn=config/oldCatabase={1}bdb.ldif to point to my domain: olcSuffix: dc=endoframe,dc=net olcRootDN: cn=Manager,dc=endoframe,dc=net And I've added: olcRootPW: [slappasswd output] However, I haven't had any luck using this password: # ldapadd -x -D cn=Manager,dc=endoframe,dc=net -W -f Manager.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) Is there some other way I should be specifying the password? -- Braden McDaniel bra...@endoframe.com
Re: Simple question about LDAP and web authentication.
Check this out :) http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html On Tue, Jun 22, 2010 at 01:37, Bryan Boone v_1bb...@yahoo.com wrote: Hi everyone. I am a noob to LDAP and I have a question. I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed. I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client. So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed. No other actions or information from the LDAP server is needed. Do I have the right idea? thanks -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Re: Interdomain authentication
On 22/06/2010 02:09, Luiz Marcelo wrote: Hello everyone, good, someone could tell me if there is a way to configure a client to openLDAP see an entry in the local database and if this entry does not exist, the server performs the query on another remote server? I used the chain module for this purpose, but even if the entry exists in the local base, the query is fired to the remote server. I need the server only see the external base case the entry does not exist in the local base. The goal is to build a scenario for user authentication inter-domains. a user subdomain: dc=subdomain-A,dc=domain can authenticate through dc=subdomain-B,dc=domain I thought at first replicate data subdomain A for the subdomain B and vice versa, but I believe it would be more interesting the server be able to perform the query directly in the external server. Does anyone have an idea? Re-routing a search to another server if it returned no results on the local server is not easily configurable, AFAIK. However, you could achieve this result by using a different setup: a proxy server that forwards requests to two servers (one per subdomain). A recent post on this list discussed this: http://www.openldap.org/lists/openldap-technical/201006/msg00225.html Jonathan -- -- Jonathan Clarke - jonat...@phillipoux.net -- Ldap Synchronization Connector (LSC) - http://lsc-project.org --
Re: Simple question about LDAP and web authentication.
On 22/06/2010 01:37, Bryan Boone wrote: Hi everyone. I am a noob to LDAP and I have a question. I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed. I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client. So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed. No other actions or information from the LDAP server is needed. Do I have the right idea? Apache does all this for you. See: http://httpd.apache.org/docs/2.1/mod/mod_authnz_ldap.html Jonathan -- -- Jonathan Clarke - jonat...@phillipoux.net -- Ldap Synchronization Connector (LSC) - http://lsc-project.org --
Re: Simple question about LDAP and web authentication.
Bryan, Bryan Boone schrieb am 22.06.2010 01:37 Uhr: So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Just search the web for php ldap. It is pretty basic (if you have the openldap server up and running for authentication). Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. This is ldap bind. Marc
Re: Unigueness of RID; changing RID
Nick Urbanik wrote: Dear Folks, I am trying to improve my understanding of the RID before making many large deployments of syncrepl. My understanding is that the replica ID (RID) is unique within one level of [provider] -- [consumer], [consumer],... relationship. That is not what the documentation says. Where did you get this understanding? An RID is just a unique tag within a single slapd.conf or slapd.d. Its only purpose is to provide an unambiguous ID that can be referenced from the slapd -c option. That's all. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Can't start ldap or can't create ldap database.
Chris Jacobs chris.jac...@apollogrp.edu writes: R It's merely reminding you that you might want one have one. Put a blank file in your BDB directory with that name. It's purely a BDB thing - nothing to do with OpenLDAP. There are article 'out there' on what might go in the file, but in many cases you don't need to tune anything - seriously. Caveat: I'm no expert. If you are happy with 256 Kb cache size you don't any settings, as this is the BerkeleyDB default setting. But most people do have more than an few entries in the database. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Copying trees from one consumer to another
--On Tuesday, June 22, 2010 12:24 PM +1000 Nick Urbanik nick.urba...@optusnet.com.au wrote: If so, does that mean that with syncrepl, the above operation is reduced to the following three steps? 1. Stop slapd on both consumers. 2. Netcat the database from one to the other. 3. start both consumers. The officially supported method is slapcat/slapadd. But as long as your architecture is the same, yes, the above steps are fine, although I use scp rather than netcat to copy the db. You failed to note running db_recover before copying the databases, which I would recommend (to force writing out any pending data in the BDB env). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Unigueness of RID; changing RID
--On Tuesday, June 22, 2010 12:00 PM +1000 Nick Urbanik nick.urba...@optusnet.com.au wrote: Dear Folks, I am trying to improve my understanding of the RID before making many large deployments of syncrepl. The RID uniquely identifies a syncrepl stanza inside the replica for a given database. If you have more than one syncrepl statement in a replica's configuration, they must all have a unique rid. Other replicas and consumers know nothing of the RID inside a different replica's setup. In most of my setups, I have a single syncrepl stanza on the replicas, so I use the same RID on all of them. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Copying trees from one consumer to another
Nick, I've done this a number of times - Dev on an 'in production' ldap infrastructure. I've managed to get the boxes out of sync a number of times. 1. Stop slapd. 2. Delete the contents of the db dir 3. Copy a db-config into it. 4. Startup slapd. The full tree is replicated pretty quickly. Try it out, you'll see. It take less then half a minute to replicate a tree with approx 800 entries (very rough estimate) even on slaves in AZ and masters in WA. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu - Original Message - From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Jun 21 19:24:05 2010 Subject: Copying trees from one consumer to another Dear Folks, With slurpd, copying a tree from one slave to another was like this: 1. stop slapd on both slaves. 2. netcat the directory across from one slave to the other. 3. stop slurpd on master 4. edit slurpd.status to make the time and replication number match by copying that for the source to that for the destination slave. 5. start everything back up. My question with syncrepl is: How do I copy the database for a tree from one consumer to another consumer (of the same producer) so that the newly copied replica knows where its replication should continue from? Is the state for replication of the database stored in the contextCSN of the suffix entry? If so, does that mean that with syncrepl, the above operation is reduced to the following three steps? 1. Stop slapd on both consumers. 2. Netcat the database from one to the other. 3. start both consumers. -- Nick Urbanik http://nicku.org 808-71011 nick.urba...@optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am. This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Re: Copying trees from one consumer to another
Hi, On 22/06/2010 04:24, Nick Urbanik wrote: Dear Folks, With slurpd, copying a tree from one slave to another was like this: 1. stop slapd on both slaves. 2. netcat the directory across from one slave to the other. 3. stop slurpd on master 4. edit slurpd.status to make the time and replication number match by copying that for the source to that for the destination slave. 5. start everything back up. My question with syncrepl is: How do I copy the database for a tree from one consumer to another consumer (of the same producer) so that the newly copied replica knows where its replication should continue from? In general, I avoid copying database files directly (I assume you're talking about the BDB files from a bdb/hdb backend). However, it can be useful to copy over a LDIF file output by slapcat to speed up a consumer's initial synchronization with it's provider. Is the state for replication of the database stored in the contextCSN of the suffix entry? Yes. If so, does that mean that with syncrepl, the above operation is reduced to the following three steps? 1. Stop slapd on both consumers. 2. Netcat the database from one to the other. 3. start both consumers. That would probably work, yes. I would instead recommend doing a slapcat on one consumer, copying over the file to second consumer, slapadd, then starting that consumer. Jonathan -- -- Jonathan Clarke - jonat...@phillipoux.net -- Ldap Synchronization Connector (LSC) - http://lsc-project.org --
Re: Regression failure on openldap-2.4.21 stable (test058-syncrepl-asymmetric)
Quanah Gibson-Mount wrote: The point of this exit message is that this test is currently known to fail, and failure should be ignored. --Quanah Okay, thanks. This was the output on our i386 build host, so I just went to cross-check against our amd64 build host and I am also seeing some random failures in test043, e.g. Starting test043-delta-syncrepl for bdb... running defines.sh Starting producer slapd on TCP/IP port 9011... Using ldapsearch to check that producer slapd is running... Waiting 5 seconds for slapd to start... Using ldapadd to create the context prefix entries in the producer... Starting consumer slapd on TCP/IP port 9012... Using ldapsearch to check that consumer slapd is running... Waiting 5 seconds for slapd to start... Using ldapadd to populate the producer directory... Waiting 7 seconds for syncrepl to receive changes... Stopping the provider, sleeping 10 seconds and restarting it... Using ldapsearch to check that producer slapd is running... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ldapsearch failed (255)! /home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/tests/scripts/test043-delta-syncrepl: line 156: kill: (30144) - No such process /home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/tests/scripts/test043-delta-syncrepl failed for bdb (exit 255) make[3]: *** [bdb-mod] Error 255 make[3]: Leaving directory `/home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/debian/build/tests' make[2]: *** [test] Error 2 make[2]: Leaving directory `/home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/debian/build/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/debian/build' make: *** [build-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 bu...@lenny-amd64-build:~/deb/openldap/2.4.21/openldap_2.4.21.orig$ cd debian/build/tests/ bu...@lenny-amd64-build:~/deb/openldap/2.4.21/openldap_2.4.21.orig/debian/build/tests$ ./run test043-delta-syncrepl Cleaning up test run directory leftover from previous run. Running /home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/tests/scripts/test043-delta-syncrepl for bdb... running defines.sh Starting producer slapd on TCP/IP port 9011... Using ldapsearch to check that producer slapd is running... Waiting 5 seconds for slapd to start... Using ldapadd to create the context prefix entries in the producer... Starting consumer slapd on TCP/IP port 9012... Using ldapsearch to check that consumer slapd is running... Using ldapadd to populate the producer directory... Waiting 7 seconds for syncrepl to receive changes... Stopping the provider, sleeping 10 seconds and restarting it... Using ldapsearch to check that producer slapd is running... Using ldapmodify to modify producer directory... Waiting 7 seconds for syncrepl to receive changes... Stopping consumer to test recovery... Modifying more entries on the producer... Restarting consumer... Waiting 7 seconds for syncrepl to receive changes... Try updating the consumer slapd... Waiting 7 seconds for syncrepl to receive changes... Using ldapsearch to read all the entries from the producer... Using ldapsearch to read all the entries from the consumer... Filtering producer results... Filtering consumer results... Comparing retrieved entries from producer and consumer... Test succeeded ATB, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs
Re: Regression failure on openldap-2.4.21 stable (test058-syncrepl-asymmetric)
--On Tuesday, June 22, 2010 5:24 PM +0100 Mark Cave-Ayland mark.cave-ayl...@siriusit.co.uk wrote: Quanah Gibson-Mount wrote: The point of this exit message is that this test is currently known to fail, and failure should be ignored. --Quanah Okay, thanks. This was the output on our i386 build host, so I just went to cross-check against our amd64 build host and I am also seeing some random failures in test043, e.g. Starting test043-delta-syncrepl for bdb... running defines.sh Starting producer slapd on TCP/IP port 9011... Using ldapsearch to check that producer slapd is running... Waiting 5 seconds for slapd to start... Using ldapadd to create the context prefix entries in the producer... Starting consumer slapd on TCP/IP port 9012... Using ldapsearch to check that consumer slapd is running... Waiting 5 seconds for slapd to start... Using ldapadd to populate the producer directory... Waiting 7 seconds for syncrepl to receive changes... Stopping the provider, sleeping 10 seconds and restarting it... Using ldapsearch to check that producer slapd is running... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ldapsearch failed (255)! /home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/tests/scripts/test04 3-delta-syncrepl: line 156: kill: (30144) - No such process Can you reliably reproduce it using the run script? I.e., ./run -b backend -l 500 test043 Would run the test 500 times using the specified backend. Your output suggests that slapd didn't start, but you don't provide anything from the slapd.1.log in the testrun directory, so there is no saying why, or if simply the script didn't allow enough time for it to start up on your system. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
RE: Simple question about LDAP and web authentication.
Bryan, Frankly though, I wonder if OpenLDAP is the right solution for your problem (see OpenID or perhaps just something simple setup in MySQL - [encrypt those passwords! ] - which you're likely using /anyway/), but moving on... Apache has pretty good LDAP support - I use it control access to our Subversion repo base: Location /svn DAV svn SVNParentPath /svn SVNIndexXSLT /svnindex.xsl SVNListParentPath On SVNReposName Subversion Repository SVNAutoversioning On AuthType Basic AuthName Subversion Repository AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL ldaps://ldap-vip.corp.example.net:636/DC=example,DC=net?uid?sub?(objectClass=*) AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require ldap-group CN=repos,OU=groups,DC=example,DC=net /Location (I have further defined groups/access for each repo underneath /svn) But this is starting to step Off Topic - this is just Apache + SVN (via DAV). I'm fairly certain PHP's level of support would be about the same if not better. Once you've got OpenLDAP up and running and can do basic stuff via ldapsearch/ldapadd/etc, then move on to getting PHP code to work. Good luck! - chris PS: http://php.about.com/od/finishedphp1/ss/php_login_code.htm has a decent article that would seem to apply. It doesn't use ldap in any flavor, but if this user db will only be used by PHP, then it would seem appropriate. -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of Buchan Milne Sent: Tuesday, June 22, 2010 1:19 AM To: openldap-technical@openldap.org Cc: Bryan Boone Subject: Re: Simple question about LDAP and web authentication. On Tuesday, 22 June 2010 00:37:41 Bryan Boone wrote: Hi everyone. I am a noob to LDAP and I have a question. I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed. I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client. So my question is??? Is an LDAP client to be run as a Daemon or service? No daemon is necessary. Is this what OpenLDAP provides? OpenLDAP provides libraries, a server, and some commandline client utilities. Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Yes, you can use php_ldap or similar, or you can have your application rely on the web server to do the authentication. Apache has an authentication module for LDAP. Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed. No other actions or information from the LDAP server is needed. Well, you said you need to make sure that the user is indeed a user of the website. Are all users in the LDAP directory users of the website? If not, you may need a little bit more ... Regards, Buchan This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Re: PROBLEM: can't use SASL to authentication openldap client
Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, I tried again with following steps: dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= [...] 4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256 5. ./ldapsearch -U admin -Y DIGEST-MD5 [...] You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6