Re: setting up openldap to proxy to AD on SUSE ENT 12

[Howard Chu]

Quanah Gibson-Mount wrote:
> --On Tuesday, February 26, 2019 9:18 AM -0800 N6Ghost  
> wrote:
> 
>> where do i get the AD schema that's not in the schema directory.
> 
> It will be with OpenLDAP 2.5 when that gets released.  You can currently 
> obtain it from here:
> 
> LDIF format:
> 
> 
> Deprecated Schema Format:
> 
> 

Quoting from above files:

# Only the subset of Windows 2012 attributes needed to make the
# user and group objectclasses work has been added to the previously
# retrieved definitions.

This is not a complete Microsoft schema, nor was it ever intended to be 
complete.

-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: setting up openldap to proxy to AD on SUSE ENT 12

[Quanah Gibson-Mount]

--On Tuesday, February 26, 2019 9:18 AM -0800 N6Ghost  
wrote:



where do i get the AD schema that's not in the schema directory.


It will be with OpenLDAP 2.5 when that gets released.  You can currently 
obtain it from here:


LDIF format:


Deprecated Schema Format:



Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: setting up openldap to proxy to AD on SUSE ENT 12

[Dieter Klünter]

Am Tue, 26 Feb 2019 09:18:09 -0800
schrieb N6Ghost :

> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
> > Am Mon, 25 Feb 2019 13:34:45 -0800
> > schrieb N6Ghost :
> >  
> >> hi all,
> >>
> >> I am trying to setup an openldap proxy to AD and i need to use SUSE
> >> Enterprise Linux 12.
> >>
> >> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> >> openldap2-2.4.41-18.43.1.x86_64
> >> openldap2-client-2.4.41-18.43.1.x86_64
> >>
> >> what I am trying to do, is proxy an application (with 1000s of
> >> users) from talking directory to AD, to talking to openldap. and
> >> then have openldap talk to AD.
> >> look across the net is a bunch of stuff,  but most of it does not
> >> seem to apply, or work.  look at the offical doc, says use sasl but
> >> you must have an local entry with a {sasl] tag on the user thats
> >> not really ideal and work make a huge problem.  a few of the posts
> >> online just said point to AD via ldap is possible? and this
> >> application also has a group lookup as part of its auth
> >> process...  eg, only member of groupX can access
> >>
> >> any help in this would be huge.
> >>
> >>
> >> seems, i am mixing up a few different ways of doing this whats the
> >> bets way to do this?  
> > I presume you are running slapd with slapd-ldap(5) backend.
> > AD requires non standard attribute types, which openldap does not
> > provide. Include AD schema files into slapd.
> > RFC-4513 requires sasl for strong binds, if your AD is setup as KDC
> > you may include openldap services as kerberos host and service
> > pricipals.
> >
> > -Dieter  
> 
> where do i get the AD schema that's not in the schema directory. yea
> i was working with /etc/sldap.conf, but in openldap 2.4 it seems some 
> stuff has changed, and lots
> of very conflicting information on how to go about getting the proxy
> to AD, lost of posts say you can just have a config in sldap.conf,
> but that not only does not work
> but many of the items in those config dont work, and will not allow
> the service to even start.

There hasn't been changed much since openldap-2.1 with regard to
protocol requirements.
> 
> then there is the matter, where the official docs say you can pass
> thru, but the accounts needs a local openldap account with {sasl}
> taged. which for a large
> domain with 1000s of users is a pain.

That's why i did point to Kerberos. 

> > and it seems openldap is more of a solutions backend that has a 
> bazillion options.  and you build out a design and options, configs
> etc based on your needs.
> and you got to hunt down the how and whats supported etc, and you
> have to deal with the distros packaging

Most of the options you refer to are built-in as default, that is,
only tweak configuration parameters that are required for your setup.

Just as a hint:
 ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \
  namingContexts subschemaSubentry

search for subschemaSubentry attribute type.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Expected operation of pwdFailureCountInterval

[Clément OUDOT]

Le 27/02/2019 à 04:05, Tom Jay a écrit :
> Hello,
>
> Can someone explain the expected operation of the
> pwdFailureCountInterval attribute please? The documentation seems to
> be fairly clear, but if I add it to the password policy, along with
> some other attributes, the account remains locked, even after the
> pwdFailureCountInterval time. Despite authenticating with a valid
> password, the pwdFailureTime entries remain and the account remains
> locked.
>
> These are the attributes in use:
> pwdLockout: TRUE
> pwdMaxFailure: 5
> pwdFailureCountInterval: 1200


Hello Tom,

if you read the documentation, you will see that you need to configure
pwdLockoutDuration to set the time during which the account is locked.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

slapd-sock Overlay gives no RESULT on Successful BIND

[Kamal Advani]

Hello,

We are attempting to sync over some data from OpenLDAP into Win AD.
The approach thus far has been to use slapd-sock in overlay mode and
attach a listener.

Our configuration snippet is as follows:

---
moduleload back_sock

overlay sock

extensions connid

socketpath /var/run/openldap/winad-sync-overlay.sock

sockopsadd bind delete modify modrdn

sockresps result
---

What I have noticed is that on a successful BIND, no corresponding
RESULT is received. However, on a BIND failure, we do, with a non-zero
code (as expected).

Another interesting situation is as follows:

* On an unsuccessful BIND, we get 2 messages, a BIND and a MODIFY --
we also use the `ppolicy` module, so it sets the pwdFailureTime, an
'add' change, on a BIND failure. This is fine.
* However, both the BIND and MODIFY have the same msgid.
* Finally, we get one RESULT back with the same msgid.

Continuing on, if I then BIND successfully, as above, I get:

* BIND and MODIFY -- this time the MODIFY clears pwdFailureTime, a
delete change. Same msgid on both BIND and MODIFY.
* Again, only one RESULT, with the corresponding msgid.

Have I misconfigured something, or is this expected behaviour? In all
cases, have made sure I'm sending through CONTINUE after each message.

I guess, I'd expect a RESULT for each request message, it would
certainly make message processing much simpler and deterministic:

* Receive request, store, keyed by conn id and msg id.
* Receive RESULT, find corresponding request, and process accordingly.

I only have this issue on BIND, as far as I can tell, at least for the
`sockops` I'm interested in.

Any suggestions are much appreciated. Thanks very much.


Regards,
Kamal


PS. Happy to provide transcripts of output, just keeping the initial
email size manageable. Please let me know.
PPS. Another quirk is, it appears that I get a RESULT for a SEARCH,
even though I am not subscribed to it in `sockops`, but happy to
ignore this for now!



--
There is more to life than increasing its speed.
 -- Mahatma Gandhi

Re: setting up openldap to proxy to AD on SUSE ENT 12

[N6Ghost]

On 2/26/2019 12:07 AM, Dieter Klünter wrote:

Am Mon, 25 Feb 2019 13:34:45 -0800
schrieb N6Ghost :


hi all,

I am trying to setup an openldap proxy to AD and i need to use SUSE
Enterprise Linux 12.

Hostname:/etc/openldap # rpm -qa|grep -i openldap
openldap2-2.4.41-18.43.1.x86_64
openldap2-client-2.4.41-18.43.1.x86_64

what I am trying to do, is proxy an application (with 1000s of users)
from talking directory to AD, to talking to openldap. and then have
openldap talk to AD.
look across the net is a bunch of stuff,  but most of it does not
seem to apply, or work.  look at the offical doc, says use sasl but
you must have an local entry with a {sasl] tag on the user thats not
really ideal and work make a huge problem.  a few of the posts online
just said point to AD via ldap is possible? and this application also
has a group lookup as part of its auth process...  eg, only member of
groupX can access

any help in this would be huge.


seems, i am mixing up a few different ways of doing this whats the
bets way to do this?

I presume you are running slapd with slapd-ldap(5) backend.
AD requires non standard attribute types, which openldap does not
provide. Include AD schema files into slapd.
RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
may include openldap services as kerberos host and service pricipals.

-Dieter


where do i get the AD schema that's not in the schema directory. yea i 
was working with /etc/sldap.conf, but in openldap 2.4 it seems some 
stuff has changed, and lots
of very conflicting information on how to go about getting the proxy to 
AD, lost of posts say you can just have a config in sldap.conf, but that 
not only does not work
but many of the items in those config dont work, and will not allow the 
service to even start.


then there is the matter, where the official docs say you can pass thru, 
but the accounts needs a local openldap account with {sasl} taged. which 
for a large

domain with 1000s of users is a pain.

and it seems openldap is more of a solutions backend that has a 
bazillion options.  and you build out a design and options, configs etc 
based on your needs.
and you got to hunt down the how and whats supported etc, and you have 
to deal with the distros packaging



-N6Ghost

Expected operation of pwdFailureCountInterval

[Tom Jay]

Hello,

Can someone explain the expected operation of the 
pwdFailureCountInterval attribute please? The documentation seems to be 
fairly clear, but if I add it to the password policy, along with some 
other attributes, the account remains locked, even after the 
pwdFailureCountInterval time. Despite authenticating with a valid 
password, the pwdFailureTime entries remain and the account remains 
locked.


These are the attributes in use:
pwdLockout: TRUE
pwdMaxFailure: 5
pwdFailureCountInterval: 1200

Thanks.

Tom

Get values of Telephone Tab ( A.D. ) using ldapsearch.

[- -]

Hi,

I am trying to get the values of Telephone tab in a Active Directory Server 
using ldapsearch.

http://www.windows-active-directory.com/telephone-tab-in-ad-user-properties.html
Active Directory User properties – Telephone 
tab
The telephone tab of the user properties window allows you to add detailed 
telephone contacts for the user.
www.windows-active-directory.com

I get other values like mail or telephoneNumber at the first tab but I can't 
get neither information of Telephone Tab .

I am using this command:

ldapsearch -x -H ldap://IP:PORT -D "cn=userldap,OU=users,DC=domain,DC=local" -w 
PASSWORD -b "DC=domain,DC=local" 
"(&(objectclass=person)(mail=us...@domain.com))" mail telephoneNumber mobile
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectclass=person)(mail=us...@domain.com))
# requesting: mail telephoneNumber mobile
#

# User 1, Users, domain.local
dn: CN=User 1,OU=Users,DC=domain,DC=local
 l
telephoneNumber: 1
mail: us...@domain.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Is posible get this information using ldapsearch tool?. Thanks in advance .

Best Regards