Re: slapd: null_callback : error code 0x14
On Tue, Sep 19, 2017 at 07:22:19PM -0700, Quanah Gibson-Mount wrote: > Well, my first question is, do you see these changes to this group entry in > the log from your other rid as well? I.e., if it is being applied twice, > you should see each modification logged twice. Usually with sync logging, > you have lines noting what the CSN is that's being processed as well. > There's not enough log information here to act on. :) Ah, I don't have sync logging on, just stats right now; I'll turn on sync logging and see what shows up tomorrow. I'm sorry for the bad bug reporting :(, but OTOH the fact that I'm in such bad practice at reporting bugs is a tribute to how infrequently I have to do so :). Thanks...
Re: Getting ldappasswd and PAM in the same page under CentOS 7
Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT) schrieb Robert Heller: > At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= > wrote: > > > > > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT) > > schrieb Robert Heller : {...] > I added: > > logLevel: 128 > > to the end of /etc/openldap/slapd.d/cn=config.ldif > > But it does not like it: > > Sep 20 13:59:47 c764guest.deepsoft.com slapd[32362]: UNKNOWN > attributeDescription "LOGLEVEL" inserted. > > The documentaion talks about loglevel in slapd.conf, but I am not > using slapd.conf... I am not talking about logging and loglevel, I am talkling about debugging and debug level. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Re: Getting ldappasswd and PAM in the same page under CentOS 7
Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT) schrieb Robert Heller: > At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= > wrote: > > > > > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT) > > schrieb Robert Heller : > > > > > OK, I fixed the ACLs (I think), but it is still not working. I > > > turned on verbose debugging for sssd[pam] and moderate debugging > > > for slapd. > > >=20 > > > Here are my ACLs > > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{2}hdb.ldif: > > >=20 > > > olcAccess: {0}to attrs=3DuserPassword > > > by self write > > > by anonymous auth > > > by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write > > > by * none > > > olcAccess: {1}to * > > > by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write > > > by * read > > >=20 > > > There are also these olcAccess entries: > > >=20 > > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{0}config.ldif: > > >=20 > > > olcAccess: {0}to * by > > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern > > > al,cn=3D= > > auth" > > > manage by * none > > >=20 > > > and > > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{1}monitor.ldif: > > >=20 > > > olcAccess: {0}to * by > > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern > > > al,cn=3D= > > auth" > > > read by dn.base=3D"cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by * > > > none > > [...] > > > > You may run slapd in debugging mode 128. > > How do I do that using the "new" configuration method in > /etc/openldap/slapd.d? > > I added: > > logLevel: 128 > > to the end of /etc/openldap/slapd.d/cn=config.ldif > > But it does not like it: [...] man slapd(8), $(EXECDIR)/slapd -h ldap:/// -F $(CONFIGDIR)/slapd.d -u $USER -g $GROUP -d 128 -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Re: Getting ldappasswd and PAM in the same page under CentOS 7
At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?=wrote: > > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT) > schrieb Robert Heller : > > > OK, I fixed the ACLs (I think), but it is still not working. I > > turned on verbose debugging for sssd[pam] and moderate debugging for > > slapd. > >=20 > > Here are my ACLs > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{2}hdb.ldif: > >=20 > > olcAccess: {0}to attrs=3DuserPassword > > by self write > > by anonymous auth > > by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write > > by * none > > olcAccess: {1}to * > > by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write > > by * read > >=20 > > There are also these olcAccess entries: > >=20 > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{0}config.ldif: > >=20 > > olcAccess: {0}to * by > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern al,cn=3D= > auth" > > manage by * none > >=20 > > and in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{1}monitor.ldif: > >=20 > > olcAccess: {0}to * by > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern al,cn=3D= > auth" > > read by dn.base=3D"cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by * none > [...] > > You may run slapd in debugging mode 128. How do I do that using the "new" configuration method in /etc/openldap/slapd.d? I added: logLevel: 128 to the end of /etc/openldap/slapd.d/cn=config.ldif But it does not like it: Sep 20 13:59:47 c764guest.deepsoft.com slapd[32362]: UNKNOWN attributeDescription "LOGLEVEL" inserted. The documentaion talks about loglevel in slapd.conf, but I am not using slapd.conf... > > -Dieter > > --=20 > Dieter Kl=C3=BCnter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53=C2=B037'09,95"N > 10=C2=B008'02,42"E > > -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services
Re: Getting ldappasswd and PAM in the same page under CentOS 7
Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT) schrieb Robert Heller: > OK, I fixed the ACLs (I think), but it is still not working. I > turned on verbose debugging for sssd[pam] and moderate debugging for > slapd. > > Here are my ACLs > in /etc/openldap/slapd.d/cn\=config/olcDatabase\={2}hdb.ldif: > > olcAccess: {0}to attrs=userPassword > by self write > by anonymous auth > by dn=uid=heller,ou=People,dc=deepsoft,dc=com write > by * none > olcAccess: {1}to * > by dn=uid=heller,ou=People,dc=deepsoft,dc=com write > by * read > > There are also these olcAccess entries: > > in /etc/openldap/slapd.d/cn\=config/olcDatabase\={0}config.ldif: > > olcAccess: {0}to * by > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" > manage by * none > > and in /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}monitor.ldif: > > olcAccess: {0}to * by > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" > read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none [...] You may run slapd in debugging mode 128. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Re: Olc deployment vs slapd.conf based deployment
On Mon, Sep 18, 2017 at 06:08:16PM +0200, Radovan Semancik wrote: > On 09/18/2017 05:20 PM, Howard Chu wrote: >> Radovan Semancik wrote: >>> I would ... if this was a wiki, or github-like pull request and if there >>> was an example of how a good result should look like. But it does not >>> make sense for me to spend few hours just figuring out how to contribute >>> documentation fix. >> >> So you're still saying, it's fine for other people to put in the hours to >> produce something you benefit from, but it's too much trouble for you to >> contribute in return. And in the meantime, it's perfectly OK for you to >> sit back and complain that things haven't been fixed. Got it. > > I'm afraid that you haven't got the point. According to my experience people > are willing to contribute. I'm willing to contribute. Just the barrier is > too high. But the worst thing is that I feel that the barrier could be much > lower if there was a bit of will to lower it. But the will is just not > there. And I do not see why. It is not 1990s any more. There are ways how to > make cooperation easier. Why not use them? > > I'm willing to do the work. In fact, I did some work already. Much more than > just few hours. I'm just not willing to overcome unreasonable barriers that > take a lot of time, do not significantly increase quality of the product and > make my future work miserable. I would rather invest that time to make the > software better. And that is exactly what I'm going to do. I'm a bit concerned that a complaint about how contributing a completely new tool to the project might seem not worth the hassle[0] has provoked a thread which has since shifted to problems about general contribution to the project but still revolving around the same arguments whether they transpose well or not, so you end up talking past each other. No disrespect meant, but this is not helping the community or the project (its codebase). This is a popular project in terms of usage (isn't the library itself installed on a majority of UNIX systems?) that is simultaneously quite complex[1]. It is maintained by a very small team and little in the way of capacity to process existing contributions quickly and attract new ones. Yes, in my eyes, the project needs to grow or it will die eventually - how many subsystems have been marked as 'experimental' for years?. On Tue, Sep 19, 2017 at 10:54:56AM +0200, Radovan Semancik wrote: > [...] > In addition to that github has hooks that can be > used to direct the comments directly to the mailing list. The best solution > that I have seen is probably in the Apache CXF project where pull request > comments are automatically synchronized with bug tracking system comments. > There is always a way ... if there is a will. > > What I see as a major problem is that there is no will. OpenLDAP project > clearly needs major improvement. But there are almost no contributors to > improve the project. I'm trying to explain that there may reasons why people > are not keen to contribute. But what I see as a response only makes all of > this worse. I'm sorry about that. Really sorry. > >> You could still use "format-patch" to send your change requests via >> E-Mail. > > You could still write your letter by hand, put it into envelope and send it > by post. But we are usually not doing that these days, are we? I'm quite > sure we all know the reasons. That is not a situation that's pleasant or helpful to you, but just adding another way to contribute is not the silver bullet[2]. There are successful projects that request contributions in way of patches (Linux, PostgreSQL, just to quote the better known), and the IPR policy is dictated by the foundation and unlikely to change, so let's stop complaining about these policies in principle. On the other hand, suggestions to making their implementation better, especially while committing to make it work and help maintain it(!) are AFAIK appreciated. In terms of that, some of us would like to have a different bug tracking system, if it supports attaching patches to it I guess that's something you'd find a bit more welcoming. I'd like to improve this, simplify things and make them more transparent if I can and if you want to help, you're welcome as well, but please be constructive, just re-hashing discussions about things that go against fundamental policy[3] and only add more work for questionable benefit does not seem constructive to me. Start small if you don't want the responsibility to maintain things indefinitely, and to give an example, I think merging documentation patches has been quite hassle-free and time to merge quite short. Ondrej [0]. And the same arguments apply pretty much everywhere in the OSS world, so while most are completely valid, they might not be entirely fair [1]. Hell, I don't understand half of its codebase after 8 years since I've first been exposed to it [2]. Not to mention that this only increases the workload for people processing the
Re: Getting ldappasswd and PAM in the same page under CentOS 7
At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?=wrote: > > > > Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit : > > I am having a hard time setting a user password using ldap (OpenLDAP > > 2.4.40-13.el7) on a CentOS 7 system. > > > > I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie= > nt), > > nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have > > created a user in the ldap database, and getent works just fine -- the = > uid and > > gid are seen, etc. But I cannot set the user's password in a way that w= > orks > > for su (and presumably login/slogin, etc.). I am using ldappasswd to s= > et the > > user's password. > > > > I am thinking that PAM and ldappasswd are using *different* oneway encr= > yption > > methods and I am guessing I need to update a configuration somewhere (e= > ither > > for pam, sssd, or nslcd), but I am not finding it. > > PAM is an LDAP client so does not read the password, it just sends BIND=20 > requests and OpenLDAP server then check the passsword by using the=20 > hashing method corresponding to the current password value. > > Can you check in your server ACLs (olcAccess parameter) that anonymous=20 > users have the 'auth' right on userPassword attribute? OK, I will check... > > --=20 > Cl=C3=A9ment OUDOT > Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9 > Savoir-faire Linux > 137 boulevard de Magenta - 75010 PARIS > Blog: http://sflx.ca/coudot > > > > -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services
Re: Using overlay rwm to rewrite search base depending on search filter
Le 13/09/2017 à 16:29, Clément OUDOT a écrit : Hello, I am playing with overlay rwm to try to change the base DN of a search depending on a value in search filter. The goal is to rewrite base "dc=example,dc=com" to "dc=test,dc=example,dc=com" if I have (uid=login@test) in the LDAP filter. Has someone already done this? My configuration for the moment is the following, but I don't understant how to capture a value in searchFilter context to use it in searchDN context: dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine on olcRwmRewrite: rwm-rewriteContext searchFilter olcRwmRewrite: rwm-rewriteRule "uid=(.*@)(.*)" "uid=$0$1" ":" olcRwmRewrite: rwm-rewriteContext searchDN olcRwmRewrite: rwm-rewriteRule "dc=example,dc=com" "dc=${searchFilter($1)},dc=example,dc=com" ":" Hello all, I just wanted to know if my use case is something that can be achieved with rwm overlay or if I need to find another solution. Thanks, Clément.
Re: Getting ldappasswd and PAM in the same page under CentOS 7
Le 19/09/2017 à 18:45, Robert Heller a écrit : I am having a hard time setting a user password using ldap (OpenLDAP 2.4.40-13.el7) on a CentOS 7 system. I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client), nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have created a user in the ldap database, and getent works just fine -- the uid and gid are seen, etc. But I cannot set the user's password in a way that works for su (and presumably login/slogin, etc.). I am using ldappasswd to set the user's password. I am thinking that PAM and ldappasswd are using *different* oneway encryption methods and I am guessing I need to update a configuration somewhere (either for pam, sssd, or nslcd), but I am not finding it. PAM is an LDAP client so does not read the password, it just sends BIND requests and OpenLDAP server then check the passsword by using the hashing method corresponding to the current password value. Can you check in your server ACLs (olcAccess parameter) that anonymous users have the 'auth' right on userPassword attribute? -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot