Re: bindpw in SSHA/MD5/CRYPT/...
Am Dienstag 26 Oktober 2010, 10:49:09 schrieb Frederic Hornain: Dear all, For already few weeks, I search for a mean to have an encypted bindpw password in /etc/ldap.conf on my Fedora Linux Ldap client. OK, I have perfectly understood a simple bind requires that the client has the *cleartext* password. Nonetheless, it seems it exists a SASL method which could permit without using Kerberos to have this functionality. AFAIK the only SASL mechanism that nss_ldap supports is GSSAPI which in the end means Kerberos. - http://www.openldap.org/lists/openldap-technical/200809/msg00145.html - If someone could give me a hand on that, I would appreciate; It seems you are reading something wrong into that thread. It only lines out that a cleartext password, or something equivalent like a Kerberos keytab or Client Certificate + Key (if nss_ldap would support that) is needed. Ralf
Re: AIX as openldap client
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed Is this important? Yes, because either nis.schema or rfc2307bis.schema are missing. I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password. For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$./ Can this be the problem? I don't know what encrytion AIX expects. Stef __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed
Hi. My configuration is like this: - database meta suffix ou=a,dc=c,dc=b uri ldap://host:port/ou=a,dc=c,dc=b; suffixmassage ou=a,dc=c,dc=b dc=a,dc=b ... - This works fine in everything else but the uniqueMembers of groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain). If I however add a mapping - map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember - then the member attributes are correctly rewritten. The problem of course is that I do not want to change the objectclass. Mapping the attribute to itself does not help either. So - map objectClass groupOfUniqueNames * map attribute uniqueMember * - does not have any effect. I must have missed something crucial on the documentation. Can someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass. OpenLDAP version is 2.4.11 for both the real and the meta server. BR, Jari-Pekka Arvo
Antwort: Re: AIX as openldap client
try chuser SYSTEM=LDAP registry=LDAP [USER] Mit freundlichen Grüßen Howard ALLISON Pensionsversicherungsanstalt Rechenzentrumsbetrieb A-1021 Wien, Friedrich-Hillegeist-Straße 1 E-Mail..: howard.alli...@pva.sozvers.at Internet: www.pensionsversicherung.at openldap-technical-boun...@openldap.org wrote on 27.10.2010 10:37:08: Stef Coene stef.co...@docum.org Gesendet von: openldap-technical-boun...@openldap.org 27.10.2010 10:43 An openldap-technical@openldap.org Kopie Thema Re: AIX as openldap client Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed Is this important? Yes, because either nis.schema or rfc2307bis.schema are missing. I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password. For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$./ Can this be the problem? I don't know what encrytion AIX expects. Stef __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die unberechtigte Weitergabe oder Verwendung sowie das unberechtigte Verteilen oder Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht irrtümlich erhalten haben, vernichten Sie sie bitte sofort. CONFIDENTIALITY: This message is intended only for the use of the individuality or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, use or copying of this communication is strictly prohibited. If you received this message in error, please immediately destroy this message. --inline: 10283671.gif
Re: AIX as openldap client
Stef Coene stef.co...@docum.org writes: Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed Is this important? Yes, because either nis.schema or rfc2307bis.schema are missing. I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with You may load either nis.schema or rfc2307bis.schema, but not both. I depends on your PAM requirements, which one to load. objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password. For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$./ Can this be the problem? I don't know what encrytion AIX expects. With regard to crypt, see http://www.openldap.org/faq/data/cache/344.html For more hashing algos see password-hash in slapd.conf(5). and /etc/ldap.conf, pam_password. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed
Arvo Jari-Pekka wrote: Hi. My configuration is like this: - database meta suffix ou=a,dc=c,dc=b uri ldap://host:port/ou=a,dc=c,dc=b; suffixmassage ou=a,dc=c,dc=b dc=a,dc=b ... - This works fine in everything else but the uniqueMembers of groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain). If I however add a mapping - map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember - then the member attributes are correctly rewritten. The problem of course is that I do not want to change the objectclass. Mapping the attribute to itself does not help either. So - map objectClass groupOfUniqueNames * map attribute uniqueMember * - does not have any effect. I must have missed something crucial on the documentation. Can someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass. OpenLDAP version is 2.4.11 for both the real and the meta server. uniqueMember does not have DN syntax; only attributes with DN syntax are mapped. You should have used groupOfNames/member instead of groupOfUniqueNames/uniqueMember. p.
Re: AIX as openldap client
On Wednesday 27 October 2010, Dieter Kluenter wrote: Stef Coene stef.co...@docum.org writes: Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed Is this important? Yes, because either nis.schema or rfc2307bis.schema are missing. I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with You may load either nis.schema or rfc2307bis.schema, but not both. I depends on your PAM requirements, which one to load. I created a rfc2307bis.ldif from the rfc2307bis.schema file. If I load the rfc2307bis.ldif without nis.ldif, I get an error: additional info: olcObjectClasses: AttributeType not found: gecos So I think rfc2305bis dependes on nis... Stef __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Attribute Aliasing
On Tue, Oct 26, 2010 at 22:37, Dieter Kluenter die...@dkluenter.de wrote: Russell Harmon r...@eatnumber1.com writes: I'm trying to reconfigure my existing OpenLDAP server to expose personal information under multiple attributes. I'm doing this so that both Apple's contact application and my custom software will work. I've read about rwm-map in slapo-rwm, but although it makes the new attribute accessible, it hides the old one. I need both the new and old to be accessible. For example: I have an existing attribute for a cellular phone number cellPhone. I want to make this accessible under both the attributes cellPhone and mobile Is this possible with OpenLDAP? either include the evolution.schema or create your own schema and define mobileTelephoneNumber superior to cellPhone. That seems to work only so far as searching for the attribute mobile will return the attribute cellPhone. I need it to return the data in the attribute cellPhone as the attribute mobile. Thanks Russell Harmon
Re: Attribute Aliasing
Russell Harmon wrote: On Tue, Oct 26, 2010 at 22:37, Dieter Kluenterdie...@dkluenter.de wrote: Russell Harmonr...@eatnumber1.com writes: I'm trying to reconfigure my existing OpenLDAP server to expose personal information under multiple attributes. I'm doing this so that both Apple's contact application and my custom software will work. I've read about rwm-map in slapo-rwm, but although it makes the new attribute accessible, it hides the old one. I need both the new and old to be accessible. For example: I have an existing attribute for a cellular phone number cellPhone. I want to make this accessible under both the attributes cellPhone and mobile Is this possible with OpenLDAP? either include the evolution.schema or create your own schema and define mobileTelephoneNumber superior to cellPhone. That seems to work only so far as searching for the attribute mobile will return the attribute cellPhone. I need it to return the data in the attribute cellPhone as the attribute mobile. 1) fix your custom software to use configurable schema, and configure it to use the same as Apple's. or 2) use back-relay, and point your software at one database and the Apple software at the other database, and rewrite as appropriate for each app. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Attribute Aliasing
On Wed, Oct 27, 2010 at 02:48, Howard Chu h...@symas.com wrote: Russell Harmon wrote: On Tue, Oct 26, 2010 at 22:37, Dieter Kluenterdie...@dkluenter.de wrote: Russell Harmonr...@eatnumber1.com writes: I'm trying to reconfigure my existing OpenLDAP server to expose personal information under multiple attributes. I'm doing this so that both Apple's contact application and my custom software will work. I've read about rwm-map in slapo-rwm, but although it makes the new attribute accessible, it hides the old one. I need both the new and old to be accessible. For example: I have an existing attribute for a cellular phone number cellPhone. I want to make this accessible under both the attributes cellPhone and mobile Is this possible with OpenLDAP? either include the evolution.schema or create your own schema and define mobileTelephoneNumber superior to cellPhone. That seems to work only so far as searching for the attribute mobile will return the attribute cellPhone. I need it to return the data in the attribute cellPhone as the attribute mobile. 1) fix your custom software to use configurable schema, and configure it to use the same as Apple's. or 2) use back-relay, and point your software at one database and the Apple software at the other database, and rewrite as appropriate for each app. Thanks Howard! I'm going with 2 because re-writing the custom software I have just isn't an option. When I set up the ldap server with a virtual view via slapd-relay and slapo-rwm and run a query against it, I get back no data! Do you know why? Here's my slapd.conf config for the virtual view: database relay suffix dc=virtual relay ou=Users,dc=example,dc=com overlay rwm rwm-suffixmassage ou=Users,dc=example,dc=com When I run a query against it however, it succeeds but returns no data! Here's some relevant logs: SRCH dc=virtual 1 0 0 0 0 filter: (uid=username) attrs: conn=1011 op=4 SRCH base=dc=virtual scope=1 deref=0 filter=(uid=username) [rw] searchDN: dc=virtual - ou=Users,dc=example,dc=com bdb_idl_fetch_key: [b49d1940] bdb_idl_fetch_key: [20acdc7e] [rw] searchEntryDN: uid=username,ou=Users,dc=example,dc=com - uid=username,dc=virtual send_ldap_result: err=0 matched= text= connection_get(16) conn=1011 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1011 op=5 UNBIND conn=1011 fd=16 closed Thanks Russell Harmon
Re: ldapsearch performance degradation
Thanks Deiter, I've tried that but as attached, the problem is the same :( Any other ideas? I'm tempted to try the mysql backend just to test if it's not BDB, does anyone have a good guide for that? Cheers, Tim On 27/10/10 16:26, Dieter Kluenter wrote: Tim Dycetjd...@unimelb.edu.au writes: Hi all, I am trying to track down what causes ldap searches to slow down over time, especially if content is added and removed. We are having issues with this as a grid site in the EGEE/EGI computing grid. Attached is a graph of search performance over time, and a basic test I did to get it (runs from /opt/bdii_test_core). This test only uses the core schema and operates on organizationalUnit. Can anyone tell me what's causing this? It's causing us some serious grief, as the searches slow down, some sites start to disappear off the grid and jobs start to fail. I've tried restarts and slap_index, but no love. Any help/advice would be much appreciated. Is there any particular reason to increase the thread pool to 256? Just stick to the default of 16, this will most likely increase performance. -Dieter -- -- Tim Dyce Research Computing EPP Group The School of Physics The University of Melbourne +61 3 8344 5462 +61 431 485 166 attachment: BDII search times.png
Re: LDAP Schema Changes During Replication
Anton Chu wrote: I didn't add the schema to the consumer. Why? After discovering replication didn't work after uploading the schema to the provider, I reverted back by deleting the uploaded schema hoping replication will kick in. So now you have entries in your provider which does not match the schema of the provider and the consumer. Check this with the tool slapschema. Any tips on replicating everything including slapd configuration changes? Fix the schema on the consumer. Ciao, Michael. 2010/10/23 Michael Ströder mich...@stroeder.com mailto:mich...@stroeder.com Anton Chu wrote: I've setup a basic consumer,provider model replication. I've added a new schema eduPerson to my provider server and now the consumer server cannot replicate. Here's the error I'm getting on my consumer server: Oct 21 22:32:08 webtest110 slapd[31984]: slapd starting Oct 21 22:32:08 webtest110 slapd[31984]: syncrepl_message_to_op: rid=000 mods check (objectClass: value #3 invalid per syntax) Oct 21 22:32:08 webtest110 slapd[31984]: do_syncrepl: rid=000 rc 21 retrying I have delete the eduPerson schema on my provider server, deleted the person (uid=jim) using those attributes in my DIT , and restarted the slapd process on both server but error still persists. Did you add the new schema also on the consumer? You should unless you're using dynamic configuration and you've set up to also replicate the schema. Ciao, Michael.