Re: Recover User Password?
On 4/28/2011 17:27, Alberto Moreno wrote: Hi. I had been using samba with openldap as a backend. But I had never need to recover a user password from LDAP. Exist a way to recover user passwords? Ldap running on Centos 5.5 2.3.43.x Samba 3.3.x DB: dbd. Thanks!!! if it's stored in plaintext, just view it. otherwise, you need to subject the password to brute force or standard cracking techniques. NT/LM hashes are particularly susceptible to attack.
Recover User Password?
Hi. I had been using samba with openldap as a backend. But I had never need to recover a user password from LDAP. Exist a way to recover user passwords? Ldap running on Centos 5.5 2.3.43.x Samba 3.3.x DB: dbd. Thanks!!! -- LIving the dream...
Re: slapi_get_client_ip in openldap?
Jani Salonen wrote: Hi, I've written a prebind plugin for slapd, and I was wondering if there is a way to resolve connected client's IP address somehow, like IBM Tivoli has slapi_get_client_ip()/slapi_get_source_ip() functions? If there is no suitable functions already in openldap, does anyone know a feasible way to do it? I don't use slapi, haven't looked to see if such functions exist or not. If you want to add them, you can get the client IP in the connection->c_peer_name field. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
Nick Milas wrote: On 28/4/2011 3:13 μμ, Torsten Schlabach (Tascel eG) wrote: So IMO LDAP *is* the best suited backend storage for DNS database data that I know of. (I am always open to new ideas I may not yet have heared or though of.) Thank you and Ben for your feedback. I agree to the above, that's why we decided to use it in the first place! What does PowerDNS to what BIND doesn't do for you? Frankly, I don't like BIND having a very large share of the market! Additionally, I have come to like PowerDNS and its LDAP backend; it has an easy setup and it is fast; it also has a nice "family"-like community. Moreover, as we have recently invested a lot of effort to setup the current backbone (including an internal Web application for DNS record management) and BIND uses a different LDAP schema, we would not be willing to start a new migration process... Unfortunately, we didn't expect that PowerDNS LDAP-backend would remain without a developer and we have no resources (funds or people) to engage in PowerDNS ldap-backend development. So, I am posting here partly to attract attention of LDAP administrators/organizations using LDAP as DNS store in their DNS Server Software, esp. PowerDNS and developers who might be interested therein. IMO, due to the hierarchical nature of the zone data, LDAP is the *most* appropriate data store for DNS data, it beats SQL on many counts. I've spent some time with the BIND code but hadn't even heard of PowerDNS. Unfortunately, at the moment, while I believe this is interesting and worthwhile, I don't have the time to spend on it. But if anyone else in the community wants to contribute, I'd be open to hosting any relevant work on the OpenLDAP code repos. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
RE: Finding issue with LDAP_OPT_NETWORK_TIMEOUT
--On Thursday, April 28, 2011 6:14 PM +0800 "Singh, Pravat (NSN - IN/Bangalore)" wrote: Could anybody help me to know if I am missing anything here (Don't know may be to set some ldap options or missed some compilation flag, not sure). There are multiple instances in the openldap source code itself that use it. I suggest you examine them. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
RE: Finding issue with LDAP_OPT_NETWORK_TIMEOUT
Hi,
I am facing problem while in ldap_simple_bind () while setting
LDAP_OPT_NETWORK_TIMEOUT. Can anybody let me know if I am missing
something.
Just to add some information that I have compiled the openldap-2.4.23
version on solaris 10 with sun studio compiler. The bind api
"ldap_simple_bind()" is successful if don't use
LDAP_OPT_NETWORK_TIMEOUT but fails if I use.
>From my application bind() method I am using the following apis
struct timeval tempTime;
tempTime.tv_usec = 0;
tempTime.tv_sec = 10;
ldap_init((char*)theHost.c_str(), thePort);
ldap_set_option(theLDAP, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(theLDAP, LDAP_OPT_DEREF, &desired_deref);
ldap_set_option( theLDAP, LDAP_OPT_NETWORK_TIMEOUT, (void *)&tempTime );
ldap_simple_bind(theLDAP, (char*)theUserDN, (char*)theUserPW);
here I am getting a bind failure and from openldap library in
ldap_sasl_bind(...) of libldap_r/sasl.c where the following code fails
and ld->ld_errno returns -1
/* send the message */
*msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber,
id );
printf("returning ld->ld_errno %d\n",ld->ld_errno);
Could anybody help me to know if I am missing anything here (Don't know
may be to set some ldap options or missed some compilation flag, not
sure).
Hope someone will help me to solve this issue.
If anybody has a sample client code with ldap option set to
LDAP_OPT_NETWORK_TIMEOUT. Please send me.
Regards,
Pravat
Multi-Master Question when network partition
> Hi, > > In OpenLDAP 2.4 admin guide "chapter 18: Replication" 18.2.2.3. Arguments > against Multi-Master replication: > > If a network is partitioned and multiple clients start writing to each of the > "masters" then reconciliation will be a pain; it may be best to simply deny > writes to the clients that are partitioned from the single provider. > > How to configure to deny writes in a LDAP master? > > My environment is 3-way MMR, of A, B, C three servers. If connection between > server A and server B is lost, how can server A and B automatically deny > writes and become read-only? As server C can still accept write operations, > and sync with both server A and B, so data in server A and B is up-to-date > and thus can act as slaves temporarily. > > > Best Regards, > Tony Dong > > >
slapi_get_client_ip in openldap?
Hi, I've written a prebind plugin for slapd, and I was wondering if
there is a way to resolve connected client's IP address somehow, like
IBM Tivoli has slapi_get_client_ip()/slapi_get_source_ip() functions?
If there is no suitable functions already in openldap, does anyone
know a feasible way to do it?
--
/}
@###{]::Jani Salonen::>
\}
Re: Problem regarding OpenLdap installation and Berkeley DB
On Thu, Apr 28, 2011 at 7:33 PM, Quanah Gibson-Mount wrote: > --On Thursday, April 28, 2011 11:21 AM +0200 Marco Pizzoli > wrote: > >> Hi, >> OpenLDAP is officially supported only with BerkeleyDB versions at >> maximum equal to 5.0.x, and this particular version only since 2.4.24. > > No. Read the change log again: > > Added slapd support for BDB 5.0+ (ITS#6698) > > It says 5.0+. That means 5.0 and higher. Not maximal at 5.0. I saw right but interpreted wrong, it seems... 5.0+ to me appeared as whatever version 5.0.0/5.0.1/5.0.2/etc... My fault
Re: Problem regarding OpenLdap installation and Berkeley DB
--On Thursday, April 28, 2011 11:21 AM +0200 Marco Pizzoli wrote: Hi, OpenLDAP is officially supported only with BerkeleyDB versions at maximum equal to 5.0.x, and this particular version only since 2.4.24. No. Read the change log again: Added slapd support for BDB 5.0+ (ITS#6698) It says 5.0+. That means 5.0 and higher. Not maximal at 5.0. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: "DIT content rule" usage patterns?
Marco Pizzoli wrote: > could someone point me to some resources, in particular usage > examples, about DIT content rules? Example: dITContentRule ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson-dcr' NOT ( x121Address ) AUX ( msPerson $ musician $ germanBankArrangement $ posixAccount $ sambaSamAccount $ vPIMUser $ inetLocalMailRecipient $ shadowAccount $ simpleSecurityObject $ pwdPolicy $ msPwdResetObject $ eduPerson $ schacPersonalCharacteristics ) ) Note that the OID is the OID of the accompanying structural object class. What exactly do you want to do? You should read RFC 4512 for the details. My web2ldap obeys DIT content rules and therefore I'm usually limiting the usable attributes in object classes with NOT to reduce the number of unneeded input fields. You can also use web2ldap's schema browser to dig into the schema of a server. Ciao, Michael.
Re: "DIT content rule" usage patterns?
On Thu, Apr 28, 2011 at 12:54:45PM +0200, Marco Pizzoli wrote: > could someone point me to some resources, in particular usage > examples, about DIT content rules? There are a couple of simple DIT Content Rules in section 10.2.4 of my paper on LDAP ACLs: http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/ In that example I am using the rules to prevent the addition of auxiliary object classes to entries of specific types. That in turn limits the attribute types that can be added. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: "DIT content rule" usage patterns?
On Thu, Apr 28, 2011 at 7:41 AM, Marco Pizzoli wrote: > On Thu, Apr 28, 2011 at 1:27 PM, Alejandro Imass wrote: >> On Thu, Apr 28, 2011 at 6:54 AM, Marco Pizzoli >> wrote: >>> Hi list, >>> could someone point me to some resources, in particular usage >>> examples, about DIT content rules? ooops, hadn't had coffee yet, sorry ;-)
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
On 28/4/2011 3:13 μμ, Torsten Schlabach (Tascel eG) wrote: I never used PowerDNS, we always went with BIND. Fortunately the DLZ parts made it into the code and the version which has them built in made it into the standard Linux distros in the meanwhile. AFAIK there are no plans to drop LDAP backend support from BIND. So maybe you should just consider to switch there. I just wanted to add that according many testimonies, like: https://lists.isc.org/mailman/htdig/bind-users/2011-February/082814.html, BIND9 with LDAP over DLZ has a very low performance, making it unsuitable for production systems, which is not the case with PowerDNS. So, it seems, PowerDNS with LDAP backend is the only truly viable solution in production, and PowerDNS is in risk of dropping maintenance of this backend! Best regards, Nick
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
On 28/4/2011 3:13 μμ, Torsten Schlabach (Tascel eG) wrote: So IMO LDAP *is* the best suited backend storage for DNS database data that I know of. (I am always open to new ideas I may not yet have heared or though of.) Thank you and Ben for your feedback. I agree to the above, that's why we decided to use it in the first place! What does PowerDNS to what BIND doesn't do for you? Frankly, I don't like BIND having a very large share of the market! Additionally, I have come to like PowerDNS and its LDAP backend; it has an easy setup and it is fast; it also has a nice "family"-like community. Moreover, as we have recently invested a lot of effort to setup the current backbone (including an internal Web application for DNS record management) and BIND uses a different LDAP schema, we would not be willing to start a new migration process... Unfortunately, we didn't expect that PowerDNS LDAP-backend would remain without a developer and we have no resources (funds or people) to engage in PowerDNS ldap-backend development. So, I am posting here partly to attract attention of LDAP administrators/organizations using LDAP as DNS store in their DNS Server Software, esp. PowerDNS and developers who might be interested therein. Nick
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
On 2011.04.28 05.31, Nick Milas wrote: It has been alleged (see ref. above) that "We don't think that LDAP is a particularly good or interesting place to store DNS data. this doesn't make much sense to me. from the perspective of traditional [e.g. non dnssec], it's simply another place in which data can be stored. from a dnssec perspective, you could perhaps argue there is additional complexity since rrsets and zones now need to be signed, but really, this is still fundamentally no different than singing the data stored via some other means. the data must be parsed, processed, and written, in some way. just as there are already mechanisms in place for doing this with traditional text files, the very same could be done for data stored in ldap. whatever needs to be done must as some point be done for the first time. the existence of "natural" methods like writing to a text file certainly don't preclude other methods from having value simply because they've not yet been given a formal implementation. additionally, there is software like phreebird [a dnssec proxy], which allow you to retain all of your dns data in its traditional form, and still provide signed zones. lastly, iirc, the notion of a dns related overlay and/or backend has come up here on occasion. not only would this obviously be a natural fit for openldap, the concepts involved in dnssec could be integrated quite nicely. Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do not seem very well maintained either. In any case we prefer PowerDNS approach where backend implementation is cleaner and direct. with respect to bind, if i were you, i'd keep up to date on the development of bind 10. while it's not my place to speak for the developers, i think you're likely to find quite a bit of attention given to abstraction between the server and its backend ;) -ben
Re: Invalid DN Syntax in Shell Script
On 2011.04.25 21.30, Inácio Alves wrote:
function verificaSenha(){
whoAmI=`whoami`
param=`echo "ldapsearch -x -W -D
\"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b \"dc=ifce,dc=edu,dc=br\"
\"(uid=$whoAmI)\""`
exec `echo "$param"`
}
i'm not sure what the goal is here, but it seems convoluted. if the goal is
simply to run ldapsearch and print the output:
#!/bin/bash
function verify_user(){
user=$(whoami)
base_dn='dc=ifce,dc=edu,dc=br'
ldapsearch -xWD "uid=${user},ou=people,${base_dn}" -b "${base_dn}"
"(uid=${user})"
}
verify_user
exit 0
Re: Invalid DN Syntax in Shell Script
Em 25 de abril de 2011 21:30, Inácio Alves escreveu:
> Hi to all,
>
> I'm trying write a script shell to simplifies the change of pass of users.
> Then I write
>
> function verificaSenha(){
> whoAmI=`whoami`
> param=`echo "ldapsearch -x -W -D
> \"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b \"dc=ifce,dc=edu,dc=br\"
> \"(uid=$whoAmI)\""`
> exec `echo "$param"`
> }
>
You may use directly : $param without exec.
>
> the line param=... produces a command line that when I write directly in
> the term it works, however in the line exec "$param" I am solicitated my
> LDAP pass (like in directly term) but when I type I get
>
> ldapsearch -x -W -D "uid=inacio,ou=People,dc=ifce,dc=edu,dc=br" -b
> "dc=ifce,dc=edu,dc=br" "(uid=inacio)"
> Enter LDAP Password:
> ldap_bind: Invalid DN syntax (34)
> additional info: invalid DN
>
> what is wrong?
>
> Another way is use the command "ldapwhoami" directly. Se above:
$ ldapwhoami -x -W -D
uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=teste,dc=br -H
ldap://ip-of-ldap-server
Enter LDAP Password:
dn:uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=teste,dc=br
Best regards!!
>
> --
> Atenciosamente,
>
> prof. Inácio Alves
> IFCE/Campus Maracanaú
> Bacharel em Matemática (UFC)/ Técnico em Conectividade(IFCE)
> http://www.polluxweb.com/inacioalves/site/
>
>
Re: Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
Hi Nick, hi all! My 2 cents on this: I think there are two quite independent questions here, which are: 1. Is LDAP a good database to store DNS information in? I mean, conceptually. 2. How is the support for LDAP as a backend database in various DNS server implementations? Talking about question #1: What are the alternatives available? - files ? - relational databases? IMO the good old zone files are not really up to the task unless you are editing them manually in vi. Whenever you are looking for some kind of automation, you need to write way more complex scripts than you want to. And you always risk that any manual edits of the zone files break your parser or anything. So zone files are really not an option if you ask me. Wether you use LDAP or relational databases for some people is a question of taste or what you are used to. If you have never worked with LDAP but you are very confident with MySQL, then you may for sure prefer a relational database as backend storage. But this is a bit of the good old "if the only tool you have is a hammer, ..." kind of thing. LDAP is different from relational databases in a number of aspects. To name a few: - LDAP is query optimized while relational databases are optimized for OLTP. In other words, LDAP's perforamance on updates may be a lot worse than that of a relational database. But it's query performance should be a lot better. I do admit though that given today's processing power available, in many cases it will be hard to measure the difference here. - LDAP stores tree like structures, not tables. LDAP is really nice if you want to have one tree with different branches which different people, groups, organizations have access to. LDAP ACLs are very fine graine. Many SQL databases (especially the "cheaper" ones; cheaper in the sense of resources, not money) have nothing at all or very black / white ACL schemas available. - LDAP has been designed for replication, which is a major plus in many setups. Yes, you can replicate relational databases as well, but this is a quite complex process. See also the last remark. - If one understands how LDAP schemas work, one can very easily attrach attributed needed by DNS to exsting LDAP objects describing your systems. So IMO LDAP *is* the best suited backend storage for DNS database data that I know of. (I am always open to new ideas I may not yet have heared or though of.) Talking about question #2: I never used PowerDNS, we always went with BIND. Fortunately the DLZ parts made it into the code and the version which has them built in made it into the standard Linux distros in the meanwhile. AFAIK there are no plans to drop LDAP backend support from BIND. So maybe you should just consider to switch there. What does PowerDNS to what BIND doesn't do for you? Regards, Torsten On Thu, 28 Apr 2011 12:31:02 +0300, Nick Milas wrote: > Hi, > > We've been using for several months PowerDNS Authoritative Server v9.22 > with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting > our organization's domains (and reverse zones) and it has been working > fine (low query times, reliable etc.) so we enjoy having all our > organization's data stored/maintained in the same DIT in LDAP. > > However, as PowerDNS Authoritative Server is preparing for the next > version (3.0), it seems that the LDAP backend will be unmaintained (see: > http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html) > as the LDAP backend developer is no more working on it (see: > http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html). > > It has been alleged (see ref. above) that "We don't think that LDAP is a > particularly good or interesting place to store DNS data. It will for > example have big problems with PowerDNSSEC because of lack of ordering." > Moreover, PowerDNS LDAP backend (although current open bugs are very few > and of relatively low severity) lacks features (e.g. Notify, which we > implement using custom script, cron and notify-dns-slaves, see: > http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html) > and is not being evolved any more. > > Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do > not seem very well maintained either. In any case we prefer PowerDNS > approach where backend implementation is cleaner and direct. > > So, my questions: > > * From the above and your experience, do you consider LDAP should > not be preferred as DNS backend? > * Should LDAP be avoided as a DNS/DNSSEC backend? > * Would any companies / developer(s) from the OpenLDAP world - > perhaps already using or interested in using DNS with LDAP backend > - would be willing to devote some time to fix a couple of small > bugs and keep the very well-designed and developed PowerDNS LDAP > backend in shape? We could even start some community donation > effort (to support this development), but I don't k
Re: Installation openLDAP in Debian
Hi Hallvard
> I suppose you could put slapd.d/ under version control.
Yes, this would respond to the log traking issue, you are right :
after all, this is the same mecanism used to log track slapd.conf
changes. The only objection I would have to that at this stage is
that I'm not sure how I to deal with the "{magic-numbrer}" present
in some file names that at this stage of my understanding.
> Or put comments in other files under slapd.d/
On the other hand, this idea of adding txt files in slapd.d to
record comments sound a bit bizarre to me to be honnest.
---
Olivier
Re: "DIT content rule" usage patterns?
On Thu, Apr 28, 2011 at 1:27 PM, Alejandro Imass wrote: > On Thu, Apr 28, 2011 at 6:54 AM, Marco Pizzoli > wrote: >> Hi list, >> could someone point me to some resources, in particular usage >> examples, about DIT content rules? >> > > The first rule is that there are no rules ;-) there are like 2 major > patterns so to speak: the X500 organizational distribution and the > DNS-inspired way. You can (in fact you should) mix-match your DIT > structure with both if you want and adapt to your own needs. The is no > one right way to do it. > > Many people under-use LDAP. For us LDAP is used for slow-mutating > hierarchical information that needs to be centralized, hence the term > "directory" is precisely what you should use LDAP for. The data > _should_ be organized in complex hierarchical form and not in the > stupid People, Computers, etc. hierarchy imposed by stupid pseudo-LDAP > technologies such as MS AD, and sorry to say that Samba follows the > same mistakes. LDAP is for _a lot_ more that just a flat structure of > People and Computers, it is designed to be hierarchically complex, > reflecting the true nature of your organization. In the end, this will > just translate to LDAP queries which you can easily simplify by > working with attributes in the correct way, so no worries about how > complex the DIT is. > > With complex hierarchies you can then even take all your user tables > OUT of the SQLs and do some interesting querying and integration with > your SQL stuff via the lesser known operational attribute called > entryUUID (defined in RFC4530). Yeap, that's right there _is in fact_ > a logical primary key in LDAP. > > I did some pretty interesting work in Venezuela last year through our > partner company Corcaribe Tecnología C.A. and wrote a paper that > explains all this in detail... BUT the doc is in Spanish. I am > attaching the PDF here in case it's of any use to you and/or anyone > would care to translate and post a how-to or on a Wiki somewhere. I > have the original OpenOffice doc and the drawing in Inkscape SVG if > anyone would like to derive some more formal work, > > Best, > > -- > Alejandro Imass Hi Alejandro, thanks for your answer. I hadn't talked about "DIT Structure Rules", but "DIT Content Rule". In particular I was referring to the usage of the "ditcontentrule" directive in slapd.conf. Thanks again Marco
Re: Installation openLDAP in Debian
Simone Piccardi writes: > On 28/04/2011 12:00, Hallvard B Furuseth wrote: >> Olivier Guillard writes: >>> How to survive in operational environnement without comments >>> in files ( nor a way to track change logs btw ) ? >> >> I suppose you could put slapd.d/ under version control. After making >> a change or a set of changes, commit your modified slapd.d/ with your >> comments in the commit message. Or put comments in other files under >> slapd.d/. If these filenames do not resemble DNs, e.g. have filetype >> .txt and no '=' in them, they won't clash with cn=config's filenames. >> I haven't tried how cumbersome this is/isn't in practice though. > > Apart the fact we were told not to touch slapd.d, That part is all right, the VCS would simply function as a browseable backup. You'd do the changes over the ldap protocol, then commit the result as-is. Regarding filenames, I think it'd make sense to document that back-config/back-ldif will not touch certain filenames, so the user is officially free to use these for comments etc. However, > this will raise > complexity (adding a VCS, finding a way to relate commens to contens, > and so on). > > So now I need more logic, more programs, when I can do everything with > just an editor and some text when having a file. Yes. I too find slapd.conf significantly superior to cn=config, except for poorer error checking and having to restart slapd. It was just a suggestion if you use cn=config but want comments and change log. slapd.conf is historyless too though, so I'm not sure what you mean with tracking change logs if you did not want something like version control. -- Hallvard
"DIT content rule" usage patterns?
Hi list, could someone point me to some resources, in particular usage examples, about DIT content rules? Thanks in advance Marco -- _ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
Re: Installation openLDAP in Debian
> Apart the fact we were told not to touch slapd.d, this will raise complexity > (adding a VCS, finding a way to relate commens to contens, and so on). > > So now I need more logic, more programs, when I can do everything with just > an editor and some text when having a file. > I do agree. My thought goes to the fact that it would add a component that rarely I find within my clients. Marco -- _ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
Re: Installation openLDAP in Debian
On 28/04/2011 12:00, Hallvard B Furuseth wrote: Olivier Guillard writes: How to survive in operational environnement without comments in files ( nor a way to track change logs btw ) ? I suppose you could put slapd.d/ under version control. After making a change or a set of changes, commit your modified slapd.d/ with your comments in the commit message. Or put comments in other files under slapd.d/. If these filenames do not resemble DNs, e.g. have filetype .txt and no '=' in them, they won't clash with cn=config's filenames. I haven't tried how cumbersome this is/isn't in practice though. Apart the fact we were told not to touch slapd.d, this will raise complexity (adding a VCS, finding a way to relate commens to contens, and so on). So now I need more logic, more programs, when I can do everything with just an editor and some text when having a file. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Installation openLDAP in Debian
Olivier Guillard writes: > How to survive in operational environnement without comments > in files ( nor a way to track change logs btw ) ? I suppose you could put slapd.d/ under version control. After making a change or a set of changes, commit your modified slapd.d/ with your comments in the commit message. Or put comments in other files under slapd.d/. If these filenames do not resemble DNs, e.g. have filetype .txt and no '=' in them, they won't clash with cn=config's filenames. I haven't tried how cumbersome this is/isn't in practice though. -- Hallvard
Re: Problem regarding OpenLdap installation and Berkeley DB
On Tue, Apr 26, 2011 at 2:09 PM, Frederick William Borges Pohl wrote: > Hello, > > > > I am a new user to Openldap and I´ve been struggling to install on my RedHat > box for quite some time. > > I´ve googled and read past messages from this forum but i´m still unable to > solve my problem which. > > > [...] > > > Any tips? > These problems seems to be recurring on RHEL and related to version mismatches. Did you install BDB from source as well? Did you run ldconfig, try rebooting (a la Windoze)? Changing LD_LIBRARY_PATH and making sure /usr/local is first might help but usually not necessary. might be missing a stupid symlink (like a top-level .so). If you're running RHEL are there no officially supported rpm binary packages for OpenLDAP? Best, -- Alejandro imass
Suitability of LDAP as DNS backend - PowerDNS LDAP backend moving to unmaintained status
Hi, We've been using for several months PowerDNS Authoritative Server v9.22 with LDAP backend (simple mode), using OpenLDAP (v2.4.22) for hosting our organization's domains (and reverse zones) and it has been working fine (low query times, reliable etc.) so we enjoy having all our organization's data stored/maintained in the same DIT in LDAP. However, as PowerDNS Authoritative Server is preparing for the next version (3.0), it seems that the LDAP backend will be unmaintained (see: http://mailman.powerdns.com/pipermail/pdns-users/2011-March/007547.html) as the LDAP backend developer is no more working on it (see: http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03625.html). It has been alleged (see ref. above) that "We don't think that LDAP is a particularly good or interesting place to store DNS data. It will for example have big problems with PowerDNSSEC because of lack of ordering." Moreover, PowerDNS LDAP backend (although current open bugs are very few and of relatively low severity) lacks features (e.g. Notify, which we implement using custom script, cron and notify-dns-slaves, see: http://mailman.powerdns.com/pipermail/pdns-users/2010-October/007109.html) and is not being evolved any more. Additionally, LDAP/database backend projects for BIND9 (SDB and DLZ) do not seem very well maintained either. In any case we prefer PowerDNS approach where backend implementation is cleaner and direct. So, my questions: * From the above and your experience, do you consider LDAP should not be preferred as DNS backend? * Should LDAP be avoided as a DNS/DNSSEC backend? * Would any companies / developer(s) from the OpenLDAP world - perhaps already using or interested in using DNS with LDAP backend - would be willing to devote some time to fix a couple of small bugs and keep the very well-designed and developed PowerDNS LDAP backend in shape? We could even start some community donation effort (to support this development), but I don't know if there is sufficient usage/interest in the LDAP backend that would generate enough funds. In essence, should we drop LDAP as a DNS Record datastore, due to the lack of a properly maintained backend and/or unsuitability for (e.g. DNSSEC) evolution, or you think there IS interest for the maintenance / evolution of the LDAP backend by the OpenLDAP developers/community (even by becoming more openldap-oriented rather than being cross-platform)? Best Regards, Nick
Re: Problem regarding OpenLdap installation and Berkeley DB
Hi, OpenLDAP is officially supported only with BerkeleyDB versions at maximum equal to 5.0.x, and this particular version only since 2.4.24. See http://www.openldap.org/lists/openldap-announce/201102/msg0.html You should try with the latest one available: 2.4.25 Hope this helps Marco On Tue, Apr 26, 2011 at 8:09 PM, Frederick William Borges Pohl wrote: > Hello, > > > > I am a new user to Openldap and I´ve been struggling to install on my RedHat > box for quite some time. > > I´ve googled and read past messages from this forum but i´m still unable to > solve my problem which. > > > > I have installed Berkeley Db db-5.1.25 with success but when I try to > install openldap, I get the following error: > > > > [root@redqas01 openldap-2.4.23]# ./configure > > … > > checking db.h usability... yes > > checking db.h presence... yes > > checking for db.h... yes > > checking for Berkeley DB major version in db.h... 5 > > checking for Berkeley DB minor version in db.h... 1 > > checking if Berkeley DB version supported by BDB/HDB backends... yes > > checking for Berkeley DB link (default)... no > > configure: error: BDB/HDB: BerkeleyDB not available > > > > Searching this mailing list, I found some information regarding setting the > LDFLAGS and CPPFLAGS for the BDB installation. > > So I did the following commands: (considering that the installation for the > BDB was in the /usr/local directory) > > > > LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.5.1/lib:/usr/local/berkeley/lib" > > LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.5.1/lib > -L/usr/local/berkeley/lib" > > CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.5.1/include > -I/usr/local/berkeley/include" > > > > I checked the /usr/local/lib/ directory and the libdb-5* files are there. > > I also checked the /usr/local/include/ and the db.h file is also there. > > > > But I still get the same error message. > > > > Any tips? > > > > Att > > > > Frederick Pohl > > -- _ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
'Operations error' possible from self signed cert?
Hi, I have a working (I think) LDAP proxy using TLS between other systems and our Active Directory. I am though slightly confused as to why when the proxy is working it is generating the following operations error messages. An example of the query and response: ldapsearch -x -LLL "(cn=ta99)" -D "CN=ldapproxy,OU=Service Accounts,DC=myad,DC=canterbury,DC=ac,DC=uk" -w password -Z ldap_start_tls: Operations error (1) additional info: TLS already started dn: cn=ta99,ou=Test Accounts,ou=OU Canterbury,dc=myad,dc=canterbury,dc=ac, dc=uk cn: ta99 SAMACCOUNTNAME: ta99 # refldaps://ForestDnsZones.myad.canterbury.ac.uk/DC=ForestDnsZones,DC=cca d,D C=canterbury,DC=ac,DC=uk # refldaps://ccad.canterbury.ac.uk/CN=Configuration,DC=myad,DC=canterbury, DC= ac,DC=uk # refldaps://DomainDnsZones.ccad.canterbury.ac.uk/DC=DomainDnsZones,DC=mya d,D C=canterbury,DC=ac,DC=uk # refldaps://ccad.canterbury.ac.uk/CN=Schema,CN=Configuration,DC=myad,DC=c ant erbury,DC=ac,DC=uk Operations error (1) Note that the response LDIF has been filtered somewhat via use of the rwm overlay and this is deliberate. My concern though is the 'Operations error (1)' at the beginning and end of the operation. I *think* that this is because I am using a self signed cert which I am politely allowing though (TLS_REQCERT allow) - but would like to be sure that this is the cause of the error before I have to start getting things up on a real server with a properly trusted certificate and appropriate chain. Many thanks Paul
Re: Installation openLDAP in Debian
Hi! my +1 to not dismiss slapd.conf. I splitted my conf files in nested subdirectories, too. slapd.conf is very important for me! thanks, Fabio 2011/4/22 Marco Pizzoli > > > > I completely agree. As I said, a little statistic to understand what > people > > use could be interesting. For me comments and a text file config is > > mandatory. I am not configuring mysql.cnf using a mysql database. As it > has > > been said before, once your setup is done, you barely change it. And a > > little restart is not a problem using replicas. > > If some colleagues come after me (not specialized on ldap), they would be > > probably more comfortable with a traditional text file than using an ldap > > browser which just show DNs and attributes. > > That's may be great to replicate cn=config, but from some mails I red, it > > seems not so easy. The harder it is to configure, the less people use. > > > > Hi all, > > +1 to not dismiss slapd.conf. > > Comments are my leading motivation in saying this. > In my biggest deployment I used a complex configuration by splitting > my conf files in nested subdirectories, mirroring conceptual > separation of OpenLDAP components: database(s), overlays related to > each database, security, modules, etc... > I commented heavily each file and, in this way, I'm able to driver my > colleagues on ordinarily activities, without the burden to have each > of them become a full time specialist on OpenLDAP, letting me go on > holiday more relaxed :-) > I commented the rationale of my choices, not only the meaning of the > configuration directives. In an office of about 10 unix systems > administrators with large heterogeneity of skills and sw products this > way has revealed to be an added value. > > Not to be misunderstood, I like very much the cn=config way. But in my > opinion it has to be a must in particular enterprise configurations, > in example for bastion slaves used for H24 operational systems, or in > situations where a network load balancer (to obtain failover, I mean) > in between cannot be used. > > My 2 cents. > > Marco > >
integrating a new overlay to the server
I'm working with rhel 5.5 I want to write a new overlay which also uses another library How do I compile\configure it to work within the server?? Thanks, Roi. "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You."
Problem regarding OpenLdap installation and Berkeley DB
Hello, I am a new user to Openldap and I´ve been struggling to install on my RedHat box for quite some time. I´ve googled and read past messages from this forum but i´m still unable to solve my problem which. I have installed Berkeley Db db-5.1.25 with success but when I try to install openldap, I get the following error: [root@redqas01 openldap-2.4.23]# ./configure ... checking db.h usability... yes checking db.h presence... yes checking for db.h... yes checking for Berkeley DB major version in db.h... 5 checking for Berkeley DB minor version in db.h... 1 checking if Berkeley DB version supported by BDB/HDB backends... yes checking for Berkeley DB link (default)... no configure: error: BDB/HDB: BerkeleyDB not available Searching this mailing list, I found some information regarding setting the LDFLAGS and CPPFLAGS for the BDB installation. So I did the following commands: (considering that the installation for the BDB was in the /usr/local directory) LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.5.1/lib:/usr/local/berkeley/lib" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.5.1/lib -L/usr/local/berkeley/lib" CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.5.1/include -I/usr/local/berkeley/include" I checked the /usr/local/lib/ directory and the libdb-5* files are there. I also checked the /usr/local/include/ and the db.h file is also there. But I still get the same error message. Any tips? Att Frederick Pohl
[OpenLDAP 2.4.23-7 ] Trouble using rwm to delete ObjectClass & attribute
Hi there, I have some trouble using rwm overlay. In fact, i am not sure it fits my need, but the documentation isn't explicit about that point. I am trying to make some replication from a master OpenLDAP server to some other server in my DMZ, through a proxy. The proxy retrieve what i need from the master, then push it to DMZ server. There is some attribute on my master server that I don't want on the DMZ server, for instance sambaGroupMapping & sambaSamAccount. The idea was using rwm to delete those objectClass, and attribute. But it doesn't work, i can change objectClass name, but i can't delete them, and i can delete attribute, not rename them (doesn't matter in my case). Here is my configuration, i tried something with the relay backend, but it doesn't matter, focus on rwm configuration. include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/authldap.schema pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args loglevel -1 modulepath /usr/lib/ldap moduleload back_ldap moduleload back_relay moduleload syncprov moduleload rwm database ldap suffix "ou=proxy,o=ca,c=net" uri ldap://ldap-dmz acl-bindbindmethod=simple idassert-bind bindmethod=simple binddn="cn=admin,ou=real,o=ca,c=net" credentials="secret" databaserelay suffix "ou=real,o=ca,c=net" relay "ou=proxy,o=ca,c=net" rootdn "cn=admin,ou=real,o=ca,c=net" lastmod on restrict all overlay rwm rwm-rewriteEngine on #Don't work rwm-map objectclass sambaGroupMapping #Work rwm-map objectclass sambaSamAccount sa #Don't work rwm-map objectclass * syncreplrid=001 provider=ldap://ldap attrs="@inetOrgPerson,@posixAccount,@shadowAccount,@organizationalPerson,@person" bindmethod=simple searchbase="ou=people,ou=real,o=ca,c=net" type=refreshAndPersist retry="60 +" interval=00:00:01:00 schemachecking=off overlay syncprov Documentation about rwm overlay does not indicate that objectClass can't be renamed. I also tried to filter those attribute thanks to exattrs / attrs of my syncrepl overlay, but don't work either, it doesn't delete the objectClass (seen with wireshark). Maybe it's not the right way to delete those things. If you have any idea about how to do it. Thanks you for help. Regards, Cédric.
LDAP proxy to AD - fails to bind
Hi, I am going through the hoops of setting up an LDAP proxy (OpenLDAP 2.3 as supplied with Red Hat 5.6) in order to expose parts of our Active Directory to other services which for political and security reasons (that I have no influence in) we do not want talking directly to the AD. In order to achieve this I would like to use ldap-back as the database to act as the proxy to the AD and then a module such as translucent to mask out the bits of the AD that we do not want exposed. So far I am fighting to get ldap-back working as I would expect, at the moment no matter what I do it fails to bind against the AD and a tcp dump demonstrates this failure. Anonymously binding and querying the AD is not an option and so I have to specify a user and get ID assertion working to force a bind against the AD as a specific known user. This does mean that anything (at the moment) could query our proxy and so get at the exposed parts of the AD and for the moment that is intentional. I am also aware that TLS etc are not enabled - this is deliberate as it makes packet sniffing for debugging easier. So for my slapd.conf I have: [slapd.conf] databaseldap uri "ldap://myad.canterbury.ac.uk/"; suffix "dc=myad,dc=canterbury,dc=ac,dc=uk" acl-bindbindmethod=simple binddn="CN=ldapproxy,OU=AD Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk" credentials="password" access to * by * read idassert-bind bindmethod=simple authzId=dn:CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC =uk binddn="CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk " credentials="password" idassert-authzFrom "dn.regex:.*" [end slapd.conf] At the moment I don't really care that anyone can read anything from the AD since I can't even bind, that will be tightened up in due course. I have seen others over the years have had similar issues and I have noted the responses they have received as well as reading the man pages and the Admin Guide, but am now at the point where some community support would be appreciated. Thanks Paul
Problem about CA Issue Certificate with LDAP
Hi all,
I'm a new comer, I'm trying to config a CA with LDAP follow
this site http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2.
4.2
CA Issue Certificate
When going to step 4, I have receieved an error
messeage.
root@ldap:/usr/local/openssl/bin#
/usr/local/openssl/ssl/misc/CA.sh -sign
Using configuration from
/usr/lib/ssl/openssl.cnf
Error opening CA private key
./demoCA/private/cakey.pem
665:error:02001002:system library:fopen:No such
file or directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r')
665:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load CA private key
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
I think it's very simple, but i
don't know how to solve it. I have tried to many ways but fail to fix it.
Maybe i don't understand about the CA Certificate.
I... I am so
confusing.
Please help,
khanhnq
--
***
EVERYTHING HAS JUST BEGUN...
Invalid DN Syntax in Shell Script
Hi to all,
I'm trying write a script shell to simplifies the change of pass of users.
Then I write
function verificaSenha(){
whoAmI=`whoami`
param=`echo "ldapsearch -x -W -D
\"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b \"dc=ifce,dc=edu,dc=br\"
\"(uid=$whoAmI)\""`
exec `echo "$param"`
}
the line param=... produces a command line that when I write directly in the
term it works, however in the line exec "$param" I am solicitated my LDAP
pass (like in directly term) but when I type I get
ldapsearch -x -W -D "uid=inacio,ou=People,dc=ifce,dc=edu,dc=br" -b
"dc=ifce,dc=edu,dc=br" "(uid=inacio)"
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
what is wrong?
Best regards!!
--
Atenciosamente,
prof. Inácio Alves
IFCE/Campus Maracanaú
Bacharel em Matemática (UFC)/ Técnico em Conectividade(IFCE)
http://www.polluxweb.com/inacioalves/site/
Mailbox Limitation
Hi, My mail server setup is having openldap-2.3.43-3.el5 for virtual users, postfix as MTA and courier-IMAP as IMAP. Now I need to limit the Maildir size via open dap but I don't know how to implement. Please help. Regards, Vinay. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
