Re: bindpw in SSHA/MD5/CRYPT/...

[Ralf Haferkamp]

Am Dienstag 26 Oktober 2010, 10:49:09 schrieb Frederic Hornain:
 Dear all,
 
 For already few weeks, I search for a mean to have an encypted bindpw
 password in /etc/ldap.conf on my Fedora Linux Ldap client.
 OK, I have perfectly understood a simple bind requires that the client
 has the *cleartext* password.
 
 Nonetheless, it seems it exists a SASL method which could permit 
 without using Kerberos to have this functionality.
AFAIK the only SASL mechanism that nss_ldap supports is GSSAPI which in 
the end means Kerberos.

 -
 http://www.openldap.org/lists/openldap-technical/200809/msg00145.html
 - If someone could give me a hand on that, I would appreciate;
It seems you are reading something wrong into that thread. It only lines 
out that a cleartext password, or something equivalent like a Kerberos 
keytab or Client Certificate + Key (if nss_ldap would support that) is 
needed.

Ralf

Re: AIX as openldap client

[Stef Coene]

  Oct 26 20:44:12 ldap1 slapd[28664]: Entry
  (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
  allowed
  Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute
  'shadowLastChange' not allowed
  
  Is this important?
 
 Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are 
loaded.  I created a test user with
objectClass: aixAuxAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson

I can login to my test linux server with this user but not on the AIX server.  
When I do a telnet to the AIX server, I can enter the username, but before I 
can enter the password, I get the error
3004-007 You entered an invalid login name or password.

For the password, this is stored in plain text when I add the user.  Before I 
can login to the linux server, I have to change it with passwd and after that, 
the password is encrypted with {crypt} and I can login to the linux client:
userPassword: {crypt}$1$./
Can this be the problem?  I don't know what encrytion AIX expects.


Stef

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed

[Arvo Jari-Pekka]

Hi.

My configuration is like this:

-

database meta
suffix   ou=a,dc=c,dc=b

uri   ldap://host:port/ou=a,dc=c,dc=b;
suffixmassage ou=a,dc=c,dc=b dc=a,dc=b

...

-

This works fine in everything else but the uniqueMembers of groupOfUniqueNames 
gets not rewritten (they are still in dc=a,dc=b domain).

If I however add a mapping

-

map objectClass groupOfNames groupOfUniqueNames
map attribute member uniqueMember

-

then the member attributes are correctly rewritten. The problem of course is 
that I do not want to change the objectclass.

Mapping the attribute to itself does not help either. So

-

map objectClass groupOfUniqueNames *
map attribute uniqueMember *

-

does not have any effect.

I must have missed something crucial on the documentation. Can someone please 
tell me what it is and how can I get uniqueMembers rewritten without changing 
the objectclass.

OpenLDAP version is 2.4.11 for both the real and the meta server.

BR,
Jari-Pekka Arvo

Antwort: Re: AIX as openldap client

[Howard Allison]

try chuser SYSTEM=LDAP registry=LDAP [USER]

Mit freundlichen Grüßen
Howard ALLISON

  Pensionsversicherungsanstalt
  Rechenzentrumsbetrieb
  A-1021 Wien,
  Friedrich-Hillegeist-Straße 1

  E-Mail..:
  howard.alli...@pva.sozvers.at
  Internet:
  www.pensionsversicherung.at





openldap-technical-boun...@openldap.org wrote on 27.10.2010 10:37:08:

 Stef Coene stef.co...@docum.org
 Gesendet von: openldap-technical-boun...@openldap.org

 27.10.2010 10:43

 An

 openldap-technical@openldap.org

 Kopie

 Thema

 Re: AIX as openldap client

   Oct 26 20:44:12 ldap1 slapd[28664]: Entry
   (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
   allowed
   Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check:
attribute
   'shadowLastChange' not allowed
  
   Is this important?
 
  Yes, because either nis.schema or rfc2307bis.schema are missing.
 I just reconfigured the openldap server and made sure nis and rfc2307bis
are
 loaded.  I created a test user with
 objectClass: aixAuxAccount
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: inetOrgPerson

 I can login to my test linux server with this user but not on the
 AIX server.
 When I do a telnet to the AIX server, I can enter the username, but
before I
 can enter the password, I get the error
 3004-007 You entered an invalid login name or password.

 For the password, this is stored in plain text when I add the user.
Before I
 can login to the linux server, I have to change it with passwd and
 after that,
 the password is encrypted with {crypt} and I can login to the linux
client:
 userPassword: {crypt}$1$./
 Can this be the problem?  I don't know what encrytion AIX expects.


 Stef

 __
 This email has been scanned by the MessageLabs Email Security System.
 For more information please visit http://www.messagelabs.com/email
 __


--
VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen
bestimmt, an
den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls
Sie nicht
der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die
unberechtigte Weitergabe oder Verwendung sowie das unberechtigte Verteilen
oder
Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht
irrtümlich
erhalten haben, vernichten Sie sie bitte sofort.

CONFIDENTIALITY: This message is intended only for the use of the
individuality or
entity to which it is addressed and may contain information that is
privileged,
confidential and exempt from disclosure. If you are not the intended
recipient you are
notified that any dissemination, distribution, use or copying of this
communication is
strictly prohibited. If you received this message in error, please
immediately destroy
this message.
--inline: 10283671.gif

Re: AIX as openldap client

[Dieter Kluenter]

Stef Coene stef.co...@docum.org writes:

  Oct 26 20:44:12 ldap1 slapd[28664]: Entry
  (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
  allowed
  Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute
  'shadowLastChange' not allowed
  
  Is this important?
 
 Yes, because either nis.schema or rfc2307bis.schema are missing.
 I just reconfigured the openldap server and made sure nis and rfc2307bis are 
 loaded.  I created a test user with

You may load either nis.schema or rfc2307bis.schema, but not both. I
depends on your PAM requirements, which one to load.
 objectClass: aixAuxAccount
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: inetOrgPerson

 I can login to my test linux server with this user but not on the AIX server. 
  
 When I do a telnet to the AIX server, I can enter the username, but before I 
 can enter the password, I get the error
 3004-007 You entered an invalid login name or password.

 For the password, this is stored in plain text when I add the user.  Before I 
 can login to the linux server, I have to change it with passwd and after 
 that, 
 the password is encrypted with {crypt} and I can login to the linux client:
 userPassword: {crypt}$1$./
 Can this be the problem?  I don't know what encrytion AIX expects.

With regard to crypt, see
http://www.openldap.org/faq/data/cache/344.html
For more hashing algos see password-hash in slapd.conf(5). and
/etc/ldap.conf, pam_password.

-Dieter
  
-- 
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Re: uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed

[Pierangelo Masarati]

Arvo Jari-Pekka wrote:

Hi.

My configuration is like this:

-

database meta
suffix   ou=a,dc=c,dc=b

uri   ldap://host:port/ou=a,dc=c,dc=b;
suffixmassage ou=a,dc=c,dc=b dc=a,dc=b

...

-

This works fine in everything else but the uniqueMembers of groupOfUniqueNames 
gets not rewritten (they are still in dc=a,dc=b domain).

If I however add a mapping

-

map objectClass groupOfNames groupOfUniqueNames
map attribute member uniqueMember

-

then the member attributes are correctly rewritten. The problem of course is 
that I do not want to change the objectclass.

Mapping the attribute to itself does not help either. So

-

map objectClass groupOfUniqueNames *
map attribute uniqueMember *

-

does not have any effect.

I must have missed something crucial on the documentation. Can someone please 
tell me what it is and how can I get uniqueMembers rewritten without changing 
the objectclass.

OpenLDAP version is 2.4.11 for both the real and the meta server.


uniqueMember does not have DN syntax; only attributes with DN syntax are 
mapped.  You should have used groupOfNames/member instead of 
groupOfUniqueNames/uniqueMember.


p.

Re: AIX as openldap client

[Stef Coene]

On Wednesday 27 October 2010, Dieter Kluenter wrote:
 Stef Coene stef.co...@docum.org writes:
   Oct 26 20:44:12 ldap1 slapd[28664]: Entry
   (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
   allowed
   Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check:
   attribute 'shadowLastChange' not allowed
   
   Is this important?
  
  Yes, because either nis.schema or rfc2307bis.schema are missing.
  
  I just reconfigured the openldap server and made sure nis and rfc2307bis
  are loaded.  I created a test user with
 
 You may load either nis.schema or rfc2307bis.schema, but not both. I
 depends on your PAM requirements, which one to load.
I created a rfc2307bis.ldif from the rfc2307bis.schema file.
If I load the rfc2307bis.ldif without nis.ldif, I get an error:
additional info: olcObjectClasses: AttributeType not found: gecos

So I think rfc2305bis dependes on nis...


Stef

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Attribute Aliasing

[Russell Harmon]

On Tue, Oct 26, 2010 at 22:37, Dieter Kluenter die...@dkluenter.de wrote:
 Russell Harmon r...@eatnumber1.com writes:

 I'm trying to reconfigure my existing OpenLDAP server to expose
 personal information under multiple attributes. I'm doing this so that
 both Apple's contact application and my custom software will work.
 I've read about rwm-map in slapo-rwm, but although it makes the new
 attribute accessible, it hides the old one. I need both the new and
 old to be accessible.

 For example:
 I have an existing attribute for a cellular phone number cellPhone.
 I want to make this accessible under both the attributes cellPhone
 and mobile

 Is this possible with OpenLDAP?

 either include the evolution.schema or create your own schema and define
 mobileTelephoneNumber superior to cellPhone.


That seems to work only so far as searching for the attribute mobile
will return the attribute cellPhone. I need it to return the data in
the attribute cellPhone as the attribute mobile.

Thanks
Russell Harmon

Re: Attribute Aliasing

[Howard Chu]

Russell Harmon wrote:

On Tue, Oct 26, 2010 at 22:37, Dieter Kluenterdie...@dkluenter.de  wrote:

Russell Harmonr...@eatnumber1.com  writes:


I'm trying to reconfigure my existing OpenLDAP server to expose
personal information under multiple attributes. I'm doing this so that
both Apple's contact application and my custom software will work.
I've read about rwm-map in slapo-rwm, but although it makes the new
attribute accessible, it hides the old one. I need both the new and
old to be accessible.

For example:
I have an existing attribute for a cellular phone number cellPhone.
I want to make this accessible under both the attributes cellPhone
and mobile

Is this possible with OpenLDAP?


either include the evolution.schema or create your own schema and define
mobileTelephoneNumber superior to cellPhone.



That seems to work only so far as searching for the attribute mobile
will return the attribute cellPhone. I need it to return the data in
the attribute cellPhone as the attribute mobile.


1) fix your custom software to use configurable schema, and configure it to 
use the same as Apple's.


or

2) use back-relay, and point your software at one database and the Apple 
software at the other database, and rewrite as appropriate for each app.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Attribute Aliasing

[Russell Harmon]

On Wed, Oct 27, 2010 at 02:48, Howard Chu h...@symas.com wrote:
 Russell Harmon wrote:

 On Tue, Oct 26, 2010 at 22:37, Dieter Kluenterdie...@dkluenter.de
  wrote:

 Russell Harmonr...@eatnumber1.com  writes:

 I'm trying to reconfigure my existing OpenLDAP server to expose
 personal information under multiple attributes. I'm doing this so that
 both Apple's contact application and my custom software will work.
 I've read about rwm-map in slapo-rwm, but although it makes the new
 attribute accessible, it hides the old one. I need both the new and
 old to be accessible.

 For example:
 I have an existing attribute for a cellular phone number cellPhone.
 I want to make this accessible under both the attributes cellPhone
 and mobile

 Is this possible with OpenLDAP?

 either include the evolution.schema or create your own schema and define
 mobileTelephoneNumber superior to cellPhone.


 That seems to work only so far as searching for the attribute mobile
 will return the attribute cellPhone. I need it to return the data in
 the attribute cellPhone as the attribute mobile.

 1) fix your custom software to use configurable schema, and configure it to
 use the same as Apple's.

 or

 2) use back-relay, and point your software at one database and the Apple
 software at the other database, and rewrite as appropriate for each app.

Thanks Howard! I'm going with 2 because re-writing the custom software
I have just isn't an option.

When I set up the ldap server with a virtual view via slapd-relay and
slapo-rwm and run a query against it, I get back no data! Do you know
why?

Here's my slapd.conf config for the virtual view:
database relay
suffix dc=virtual
relay ou=Users,dc=example,dc=com
overlay rwm
rwm-suffixmassage ou=Users,dc=example,dc=com

When I run a query against it however, it succeeds but returns no data!

Here's some relevant logs:
SRCH dc=virtual 1 0
0 0 0
filter: (uid=username)
attrs:

conn=1011 op=4 SRCH base=dc=virtual scope=1 deref=0 filter=(uid=username)
[rw] searchDN: dc=virtual - ou=Users,dc=example,dc=com
bdb_idl_fetch_key: [b49d1940]
bdb_idl_fetch_key: [20acdc7e]
[rw] searchEntryDN: uid=username,ou=Users,dc=example,dc=com -
uid=username,dc=virtual
send_ldap_result: err=0 matched= text=
connection_get(16)
conn=1011 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1011 op=5 UNBIND
conn=1011 fd=16 closed

Thanks
Russell Harmon

Re: ldapsearch performance degradation

[Tim Dyce]

Thanks Deiter,

I've tried that but as attached, the problem is the same :(
Any other ideas? I'm tempted to try the mysql backend just to test if 
it's not BDB, does anyone have a good guide for that?


Cheers,

Tim

On 27/10/10 16:26, Dieter Kluenter wrote:

Tim Dycetjd...@unimelb.edu.au  writes:

   

Hi all,

I am trying to track down what causes ldap searches to slow down over
time, especially if content is added and removed. We are having issues
with this as a grid site in the EGEE/EGI computing grid.

Attached is a graph of search performance over time, and a basic test I
did to get it (runs from  /opt/bdii_test_core). This test only uses the
core schema and operates on organizationalUnit.

Can anyone tell me what's causing this?
It's causing us some serious grief, as the searches slow down, some
sites start to disappear off the grid and jobs start to fail.

I've tried restarts and slap_index, but no love.
Any help/advice would be much appreciated.
 

Is there any particular reason to increase the thread pool to 256?
Just stick to the default of 16, this will most likely increase
performance.

-Dieter

   


--
--
Tim Dyce
Research Computing
EPP Group
The School of Physics
The University of Melbourne
+61 3 8344 5462
+61 431 485 166

attachment: BDII search times.png

Re: LDAP Schema Changes During Replication

[Michael Ströder]

Anton Chu wrote:
 I didn't add  the schema to the consumer.

Why?

  After discovering replication
 didn't work after uploading the schema to the provider, I reverted back
 by deleting the uploaded schema hoping replication will kick in. 

So now you have entries in your provider which does not match the schema of
the provider and the consumer.

Check this with the tool slapschema.

 Any
 tips on replicating everything including slapd configuration changes?

Fix the schema on the consumer.

Ciao, Michael.

 2010/10/23 Michael Ströder mich...@stroeder.com
 mailto:mich...@stroeder.com
 
 Anton Chu wrote:
  I've setup a basic consumer,provider model replication.  I've added a
  new schema eduPerson to my provider server and now the consumer server
  cannot replicate.  Here's the error I'm getting on my consumer server:
 
  Oct 21 22:32:08 webtest110 slapd[31984]: slapd starting
  Oct 21 22:32:08 webtest110 slapd[31984]: syncrepl_message_to_op:
 rid=000
  mods check (objectClass: value #3 invalid per syntax)
  Oct 21 22:32:08 webtest110 slapd[31984]: do_syncrepl: rid=000 rc
 21 retrying
 
  I have delete the eduPerson schema on my provider server, deleted the
  person (uid=jim) using those attributes in my DIT , and restarted the
  slapd process on both server but error still persists.
 
 Did you add the new schema also on the consumer? You should unless
 you're
 using dynamic configuration and you've set up to also replicate the
 schema.
 
 Ciao, Michael.