date:20110923

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Juergen.Sprenger

Hi Gerardo,

the 'short strings' You mentioned are 13-character DES password hashes.
For security reasons they should not be used anymore if possible.

Putting {crypt} in front of them should be sufficient for conversion.

Normalizing the passwords might become difficult if only their DES hashes are 
available.

Especially in a heterogenous environment using simple authentication together 
with
ssl/tls will prevent some trouble.

In that case OpenLDAP will take care of the crypto algorithm, creation of 
password hashes and so on while clients just send plaintext passwords
over an encrypted ssl/tls connection to the LDAP server.

This will also prevent trouble if there is no common algorithm supported by
all OS flavors and releases in Your environment which use LDAP for 
authentication.

Regards

Juergen

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Howard Chu


juergen.spren...@swisscom.com wrote:

Hi Gerardo,

the 'short strings' You mentioned are 13-character DES password hashes.
For security reasons they should not be used anymore if possible.


It's always interesting to see how things have progressed. ~15 years ago a 
desktop processor could perform 130,000 crypts/second, and could crack a 
typical 8 character password in ~251 days.


http://personal.stevens.edu/~khockenb/crypt3.html

Skip ahead to 2010 and a single-core desktop processor can do 10 million 
crypts/second - so your crack time is now down to ~2.5 days for a single 
password, even less for multi-core. Of course, you can crack an entire 
password file all in parallel, since you only need to perform a simple 
comparison of the crypt result with each password.


http://openwall.info/wiki/john/benchmarks

So if all else fails, you can most likely generate the original plaintext for 
the majority of these old passwords in not much time. Of course, having done 
that, you probably won't want any of your users to continue using them...



Putting {crypt} in front of them should be sufficient for conversion.

Normalizing the passwords might become difficult if only their DES hashes are 
available.

Especially in a heterogenous environment using simple authentication together 
with
ssl/tls will prevent some trouble.

In that case OpenLDAP will take care of the crypto algorithm, creation of
password hashes and so on while clients just send plaintext passwords
over an encrypted ssl/tls connection to the LDAP server.

This will also prevent trouble if there is no common algorithm supported by
all OS flavors and releases in Your environment which use LDAP for 
authentication.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Simone Piccardi


On 22/09/2011 16:10, Christopher Wood wrote:

Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, 
and ensure you have compat ldap as lookups listed in /etc/nsswitch.conf for 
passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, 
but I haven't gotten that far yet.)


This, at least for Debian Stable and Ubuntu LTS has an important 
shortcoming, it does not update shadowLastChange on password change. So 
if you set a password expiration they will stay expired forever.


It can be made working with a patched smbk5pwd overlay in the openldap 
server, but that's not present in Debian or Ubuntu.


Simone
--
Simone Piccardi Truelite Srl
picca...@truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-103243350142 Firenze
http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Howard Chu


Simone Piccardi wrote:

On 22/09/2011 16:10, Christopher Wood wrote:

Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, 
and ensure you have compat ldap as lookups listed in /etc/nsswitch.conf for 
passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, 
but I haven't gotten that far yet.)


This, at least for Debian Stable and Ubuntu LTS has an important
shortcoming, it does not update shadowLastChange on password change. So
if you set a password expiration they will stay expired forever.


Not a major shortcoming. If you're actually using LDAP then you should set 
expiration using ppolicy and not using shadow attributes at all.



It can be made working with a patched smbk5pwd overlay in the openldap
server, but that's not present in Debian or Ubuntu.

Simone


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Simone Piccardi


On 23/09/2011 13:20, Howard Chu wrote:


Not a major shortcoming. If you're actually using LDAP then you should
set expiration using ppolicy and not using shadow attributes at all.

Did this solve problems with current nslcd, libnss-ldapd, libpam-ldapd 
packages on Debian Stable and Ubuntu LTS? I was not aware of this.


Anyway I have more than 80 server in schools, with hundred of students 
registered in each one. When they where created 6 years ago  ppolicy was 
not an option.


I prefer to install a patched slapd-smbk5passwd package on each server 
and have a consistent managament of the actual information than 
reworking the data in each database and make changes in about 2500 
client configurations.


Ppolicy could be the future, but I have to deal with the present and the 
past.


Simone
--
Simone Piccardi Truelite Srl
picca...@truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-103243350142 Firenze
http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Christopher Wood

On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:
 On 22/09/2011 16:10, Christopher Wood wrote:
 Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your 
 /etc/nslcd.conf, and ensure you have compat ldap as lookups listed in 
 /etc/nsswitch.conf for passwd, group, shadow. (I figure on the whole 
 nss-pam-ldapd arrangement for CentOS6 too, but I haven't gotten that far 
 yet.)
 
 This, at least for Debian Stable and Ubuntu LTS has an important
 shortcoming, it does not update shadowLastChange on password change.
 So if you set a password expiration they will stay expired forever.

This depends where passwords are maintained. Certainly in your case it sounds 
like the authoritative password copy is maintained in the directory.
 
 It can be made working with a patched smbk5pwd overlay in the
 openldap server, but that's not present in Debian or Ubuntu.
 
 Simone
 -- 
 Simone Piccardi Truelite Srl
 picca...@truelite.it (email/jabber) Via Monferrato, 6
 Tel. +39-347-103243350142 Firenze
 http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

Re: migrating from (old) /etc/shadow to LDAP

2011-09-23 Thread Simone Piccardi


On 23/09/2011 14:42, Christopher Wood wrote:

On Fri, Sep 23, 2011 at 12:19:17PM +0200, Simone Piccardi wrote:

On 22/09/2011 16:10, Christopher Wood wrote:

Debian/Ubuntu: install nslcd, libnss-ldapd, libpam-ldapd, configure your /etc/nslcd.conf, 
and ensure you have compat ldap as lookups listed in /etc/nsswitch.conf for 
passwd, group, shadow. (I figure on the whole nss-pam-ldapd arrangement for CentOS6 too, 
but I haven't gotten that far yet.)


This, at least for Debian Stable and Ubuntu LTS has an important
shortcoming, it does not update shadowLastChange on password change.
So if you set a password expiration they will stay expired forever.


This depends where passwords are maintained. Certainly in your case it sounds 
like the authoritative password copy is maintained in the directory.


The problem I'm talking is not about password, they are just in 
userPassword.


Problem arise form the lack of managament of shadowLastChange in the 
current version of nslcd, libnss-ldapd, libpam-ldapd, for both Squeeze 
and Lucid.


It should work if you use the old libpam-ldap.

Simone
--
Simone Piccardi Truelite Srl
picca...@truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-103243350142 Firenze
http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

schema question

2011-09-23 Thread John Tobin

To the ldap forum:

I have loaded suse 12.1 m5.
I have setup an openldap server, which was the main mission of this machine, 
and it works.
It has ssl /tls, certificates are loaded, that works.
I used ldap client to setup the ldap browser and that works also.
This is the new 2.4.26 server, which has some rather major changes in how ldap 
is setup. After about 2 weeks I have that under control.

My little domain is setup on dark.net [dc=dark,dc=net].

I used ldapadd to put in the administrator, and I have used ldapsearch to list 
the subschema. I took the default schema. The list of the subschema includes 
everything I would like to use.

Now I want to go about the real business of defining users.

I have reviewed a number of pages to ensure I am doing what appears to be the 
correct procedure, for instance :

http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html

Which lists:

File: fratbrother.ldif

dn: cn=fratbrother,o=delta
cn: fratbrother
sn: fratbrother
objectclass: top
objectclass: person
userPassword: fratsecret

ldapadd -f fratbrother.ldif -cxv -D cn=DeanWormer,o=delta -w secret2


And other similar updates.

But on my machine I create something simple like:

File : dark.ldif

dn: cn=jctobin,dc=dark,dc=net
cn: jctobin
userPassword: Hello1$

Ldapadd -x -D “cn=admin,dc=dark,dc=net” -W -f dark.ldif
Enter LDAP Password:
Adding new entry “cn=jctobin,dc=dark,dc=net”
Ldap_add: Object class violation (65)
   Additional info: no objectClass attribute

Obviously my ldap server does not like the “userPassword”  class.
I have not been able to use any of the other classes I would like to either 
[ou: (organizational Unit), uid (unix term for a number corresponding to the 
user id), etc.]

What have I not setup correctly?

I need to get these users up and running.

tob

JLDAP Search

2011-09-23 Thread criderkevin


 

 I'm using the example code from the Novell site to perform a Java JLDAP search 
by uid of my directory.

http://developer.novell.com/documentation/samplecode/jldap_sample/index.htm

the one called search.java

My program does this: the main java class prompts the user over and over (it's 
in a while(true) loop) for search parameters, then executes this search.java 
method. I'm using this (above) code as is except for the Systems.exit(0).

The first time it runs it returns the correct result...but every run after that 
it returns 0 results. I have to restart my Java program to get it to return the 
correct result again. There's no public variables in the way...I'm not sure 
what could be the issue. I've looked through the LDAPConnection.java and 
nothing looks looks like anything that would corrupt, clear a cache, or queue, 
or do anything more than what the disconnect (should) does.

Anyone run into this?...or have any ideas?

Thanks!

Kevin

multi master no syncing.

2011-09-23 Thread Sébastien Bernard


Hi,

I've setup a multimaster cluster composed of two machine (in my example 
192.168.0.204 and 192.168.0.197).

Everything is working ok and both side are replicating ok.

However, I've a problem I'd like to submit to your sagacity.

When I put down a server, and modify the other server (delete or add), 
when the first server comes back, the modifications are not pushed in 
the old server.
Server 1 says Entry cn=seb,ou=orgunit,o=org,dc=example,dc=com changed by 
peer, ignored


Adding new entries works ok and synchronisation happens but for the 
nodes altered while one of the servers was down, the modifications are 
lost (or more precisely ignored by the other).


My questions:
Is this normal behaviour (Maybe I got the configuration wrong) ?
How may I force the missing entries to be replicated to the other ? 
(Only solution I found is to wipe the entire database on the down server 
that force a replication from its peer).


sincerely,
Seb

Here an extract of the slapd.log from server 1:
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrep2: rid=002 (-1) Can't 
contact LDAP server
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying 
(4 retries left)
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrep2: rid=004 (-1) Can't 
contact LDAP server
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying 
(4 retries left)

Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1002 op=2 UNBIND
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1002 fd=19 closed
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1003 op=2 UNBIND
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1003 fd=20 closed
Sep 22 10:12:37 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:37 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying 
(3 retries left)
Sep 22 10:12:37 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com 
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:37 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying 
(3 retries left)


Sep 22 10:12:42 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com 
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:42 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying 
(2 retries left)
Sep 22 10:12:42 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:42 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying 
(2 retries left)
Sep 22 10:12:47 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com 
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:47 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying 
(1 retries left)
Sep 22 10:12:47 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:47 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying 
(1 retries left)
Sep 22 10:12:52 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)

Sep 22 10:12:52 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
Sep 22 10:12:52 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com 
ldap_sasl_bind_s failed (-1)

Sep 22 10:12:52 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
Sep 22 10:12:57 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:57 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying 
(4 retries left)
Sep 22 10:12:57 dhcp204 slapd[2689]: slap_client_connect: 
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com 
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:57 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying 
(4 retries left)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 fd=13 ACCEPT from 
IP=192.168.0.197:55471 (IP=0.0.0.0:389)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 BIND 
dn=cn=manager,dc=example,dc=com method=128
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 BIND 
dn=cn=manager,dc=example,dc=com mech=SIMPLE ssf=0
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 RESULT tag=97 err=0 
text=
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 fd=15 ACCEPT from 
IP=192.168.0.197:55473 (IP=0.0.0.0:389)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 BIND dn=cn=config 
method=128
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 BIND dn=cn=config 
mech=SIMPLE ssf=0
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 RESULT tag=97 err=0 
text=
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=1 SRCH 
base=cn=config scope=2 deref=0 filter=(objectClass=*)

Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=1 SRCH attr=* +
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=1 INTERM 
oid=1.3.6.1.4.1.4203.1.9.1.4
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=1 SRCH 
base=dc=example,dc=com scope=2 deref=0 filter=(objectClass=*)

Sep 22

rwm + cn=config

2011-09-23 Thread Frava

Hello,

I use the rwm overlay to forward the authentication of some users to the
general ldap replicas of my corp.

Part of slapd.conf :

###
...
overlay rwm
rwm-rewriteEngine   on
rwm-rewriteContext  bindDN
rwm-rewriteMap  ldap mysearch ldap://
ldap.example.com:389/ou=users,dc=example,dc=com?dn?sub
rwm-rewriteRule ^uid=([^,]+),ou=people,dc=[^,]+,dc=example,dc=com$
${mysearch(((objectClass=posixAccount)(uid=$1)))} :@I

databaseldap
suffix  ou=users,dc=example,dc=com
uri ldap://ldap.example.com:389/;
restrictread write extended

databasebdb
suffix  dc=example,dc=com
rootdn  cn=admin,dc=example,dc=com
rootpw  mypassword
directory   /var/db/openldap-data/mydb
...


Now I converted the 'slapd.conf' to 'cn=config' with slaptest, the remote
authentication stopped working;
and looking at cn=config, all the rules are there...

Any Ideas ?
Rafael NAVAZA.

OpenLDAP with MySQL backend not working

2011-09-23 Thread Victor LAZA

Hi all,

 

I am using OpenLDAP with MySQL backend for testing purpose, a future project
of linux authentication via LDAP but with MySQL backend.

 

For this I am using 2 virtual machines with the following configurations:

 

Centos 5.6 x86_64

Iptables is off

Memory: 1 GB of RAM

Packages installed on server: openldap.x86_64  , openldap-servers-sql.x86_64
, openldap-servers.x86_64 , openldap-clients.x86_64 (all are version 2.3.43)
, openldap24-libs.x86_64 (version 2.4.23) , mysql-connector-odbc.x86_64
(version 3.51.26r1127 )

Packages installed on client: openldap-clients.x86_64 (version 2.3.43)

 

On the server I have created a user ldap, group ldap and granted him FULL
access on ldap_test database

After that I imported from
/usr/share/doc/openldap-servers-sql-2.3.43/rdbms_depend/mysql/

the files: backsql_create.sql , testdb_create.sql , testdb_data.sql ,
testdb_metadata.sql

into the database ldap_test

 

When I try to ldap search from the CLIENT computer with

 

ldapsearch -x  

 

it should show me all the contents in the database

 

tried also with 

 

ldapsearch -x -D cn=admin,dc=example,dc=com -W

 

still no result

 

In a manual check the data is in the MySQL database, in all tables

 

 

Can someone provide me some info/ideeas on how to configure it to work?

Thank you in advance.

Below are all my config files and the output from slapd

 



/etc/odbc.ini



; ; odbc.ini configuration for Connector/ODBC and Connector/ODBC 3.51
drivers ;

 

[ODBC Data Sources]

mysql = MySQL 3.51

 

[mysql]

driver   = mysql

server   = localhost

port = 3306

database = ldap_test

user = ldap

password = ldappass

socket   = /var/lib/mysql/mysql.sock

 

[default]

driver   = MySQL

server   = localhost

port = 3306

database = ldap_test

user = ldap

password = ldappass

socket   = /var/lib/mysql/mysql.sock

 

##

/etc/odbcinst.ini

##

mysql]

driver  = /usr/lib64/libmyodbc3.so

usagecount  = 1

 



/etc/openldap/slapd.conf



#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

 

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

 

# Level of LOG

loglevel-1

 

pidfile /var/run/openldap/slapd.pid

argsfile/var/run/openldap/slapd.args

 

# Load dynamic backend modules:

#modulepath /usr/lib64/openldap/

 

# Modules available in openldap-servers-overlays RPM package

# Module syncprov.la is now statically linked with slapd and there

# is no need to load it here

# moduleload accesslog.la

# moduleload auditlog.la

# moduleload denyop.la

# moduleload dyngroup.la

# moduleload dynlist.la

# moduleload lastmod.la

# moduleload pcache.la

# moduleload ppolicy.la

# moduleload refint.la

# moduleload retcode.la

# moduleload rwm.la

# moduleload smbk5pwd.la

# moduleload translucent.la

# moduleload unique.la

# moduleload valsort.la

 

# modules available in openldap-servers-sql RPM package:

moduleload /usr/lib64/openldap/back_sql.la

 

# The next three lines allow use of TLS for encrypting connections using a

# dummy test certificate which you can generate by changing to

# /etc/pki/tls/certs, running make slapd.pem, and fixing permissions on

# slapd.pem so that the ldap user or group can read it.  Your client
software

# may balk at self-signed certificates, however.

# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

# TLSCertificateFile /etc/pki/tls/certs/slapd.pem

# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

 

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

 

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#   Allow self write access

#   Allow authenticated users read access

#   Allow anonymous users to authenticate

#   Directives needed to implement policy:

# access to dn.base= by * read

# access to dn.base=cn=Subschema by * read

access to *

by self write

by users read

by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., access to * by

Newbie here

2011-09-23 Thread brown wrap

I have downloaded and installed OpenLDAP from www.sunfreeware.com. I have also 
installed the required supporting software. I know nothing about OpenLDAP. This 
is my first exposure. It will be on a test setup, running on old SPARCstations. 
I have settup the conf file, started slapd and it returns to the the prompt. 
Adding the debug flag shows its complaining about Berkley DB. Has someone here 
made a similar setup? I don't have access to the machine at this point. Its not 
connected to the net. I was just wondering if someone else had a like install. 
Thanks.

Re: rwm + cn=config

2011-09-23 Thread Frava

Hi,

I got it working :

overlay rwm MUST be declared before database config in slapd.conf, then it
will be placed in olcDatabase={-1}frontend when converting with slaptest
-f slapd.conf -F slapd.d

Rafael.

Hello,

 I use the rwm overlay to forward the authentication of some users to the
 general ldap replicas of my corp.

 Part of slapd.conf :

 ###
 ...
 overlay rwm
 rwm-rewriteEngine   on
 rwm-rewriteContext  bindDN
 rwm-rewriteMap  ldap mysearch ldap://
 ldap.example.com:389/ou=users,dc=example,dc=com?dn?sub
 rwm-rewriteRule
 ^uid=([^,]+),ou=people,dc=[^,]+,dc=example,dc=com$
 ${mysearch(((objectClass=posixAccount)(uid=$1)))} :@I

 databaseldap
 suffix  ou=users,dc=example,dc=com
 uri ldap://ldap.example.com:389/;
 restrictread write extended

 databasebdb
 suffix  dc=example,dc=com
 rootdn  cn=admin,dc=example,dc=com
 rootpw  mypassword
 directory   /var/db/openldap-data/mydb
 ...
 

 Now I converted the 'slapd.conf' to 'cn=config' with slaptest, the remote
 authentication stopped working;
 and looking at cn=config, all the rules are there...

 Any Ideas ?
 Rafael NAVAZA.

Tutorial to make an overlay‏?

2011-09-23 Thread Johan Jakus

Hello everyone,

I'm Johan and I am in the final year of my studies in industrial
engineering.
For my stage, I've been asked to make an overlay for an OpenLDAP server.
But, I can't find any documentation on how to make an overlay,
could someone please redirect me to a tutorial or something likewise?
I would really appreciate it! Thanks!
Best regards,


Johan

Schema question... userPassword doesn't work

2011-09-23 Thread John Tobin

To the ldap forum:

I have loaded suse 12.1 m5.
I have setup an openldap server, which was the main mission of this machine,
and it works.
It has ssl /tls, certificates are loaded, that works.
I used ldap client to setup the ldap browser and that works also.
This is the new 2.4.26 server, which has some rather major changes in how
ldap is setup. After about 2 weeks I have that under control.

My little domain is setup on dark.net [dc=dark,dc=net].

I used ldapadd to put in the administrator, and I have used ldapsearch to
list the subschema. I took the default schema. The list of the subschema
includes everything I would like to use.

Now I want to go about the real business of defining users.

I have reviewed a number of pages to ensure I am doing what appears to be
the correct procedure, for instance :

http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html

Which lists:

File: fratbrother.ldif

dn: cn=fratbrother,o=delta
cn: fratbrother
sn: fratbrother
objectclass: top
objectclass: person
userPassword: fratsecret

ldapadd -f fratbrother.ldif -cxv -D cn=DeanWormer,o=delta -w secret2


And other similar updates.

But on my machine I create something simple like:

File : dark.ldif

dn: cn=jctobin,dc=dark,dc=net
cn: jctobin
userPassword: Hello1$

Ldapadd -x -D ³cn=admin,dc=dark,dc=net² -W -f dark.ldif
Enter LDAP Password:
Adding new entry ³cn=jctobin,dc=dark,dc=net²
Ldap_add: Object class violation (65)
   Additional info: no objectClass attribute

Obviously my ldap server does not like the ³userPassword²  class.
I have not been able to use any of the other classes I would like to either
[ou: (organizational Unit), uid (unix term for a number corresponding to the
user id), etc.]

What have I not setup correctly?

I need to get these users up and running.
What can you do for me?

Sincerely,

Tob

Unable to start slapd, syncrepl error

2011-09-23 Thread William S.

Oh the wise and mighty of the openLDAP community, 

I have an issue that I have not been able to understand. Partially because
Im an enthusitis, not an expert in the domain. That being said, I've used
an openLDAP RPM compiled by one of the fellow *nix admins:
http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm
desparate enough to try this. I'll eventually use the spec to compile my own
RPM.

I'm running CentOS 5.7 x86_64 with the latest packages. I was able to
successfully install and configure openLDAP but when I attempt to start it
with MIrrorMode, it will not start. I ran slaptest to figure out where it's
hanging up on: 

[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf 
/etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before
syncrepl may be used
slaptest2.4: bad configuration file!

Any suggestions why it continues to complain about rootDN? I have it
specified and if slapd is going through the lines, it should have picked up
the rootdn before syncrepl. Thoughts? 

Here is my slapd.conf: 

include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/java.schema
include /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema

#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema
#include /usr/share/openldap2.4/schema/pilot.schema
#include /usr/share/openldap2.4/schema/qmail.schema
#include /usr/share/openldap2.4/schema/mull.schema
#include /usr/share/openldap2.4/schema/netscape-profile.schema
#include /usr/share/openldap2.4/schema/trust.schema

include /etc/openldap2.4/schema/local.schema
include /etc/openldap2.4/slapd.access.conf

access to dn.subtree=dc=domain,dc=pvt
by group=cn=Replicator,ou=Group,dc=domain,dc=pvt
by users read
by anonymous read
pidfile /var/run/ldap2.4/slapd.pid
argsfile/var/run/ldap2.4/slapd.args

modulepath  /usr/lib64/openldap2.4

# database backend modules available:
#moduleload  back_dnssrv.la
#moduleload  back_ldap.la
#moduleload  back_meta.la
moduleload  back_monitor.la
#moduleload  back_passwd.la
#moduleload  back_sql.la

# overlay modules available:
#moduleload accesslog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload glue.la
#moduleload lastmod.la
#moduleload pcache.la
#moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
moduleload syncprov.la
#moduleload translucent.la
#moduleload unique.la

#contrib overlays
#moduleload  smbk5pwd.so

# SASL config
#sasl-host ldap.domain.com

# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem
# and uncomment the following lines.
#TLSRandFile/dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /etc/pki/tls/private/ldap.pem
TLSCertificateKeyFile   /etc/pki/tls/private/ldap.pem
#TLSCACertificatePath   /etc/ssl/openldap2.4/
#TLSCACertificateFile/etc/ssl/cacert.pem
TLSCACertificateFile/etc/pki/tls/private/ldap.pem
#TLSVerifyClient never # ([never]|allow|try|demand)

# logging
#loglevel 256

###
# database definitions
###

databasebdb
suffix  dc=domain,dc=pvt
#suffix o=My Organization Name,c=US
rootdn  cn=Manager,dc=domain,dc=pvt
#rootdn cn=Manager,o=My Organization Name,c=US

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpwsecret
# rootpw{crypt}ijFYNcSNctBYg
rootpw  {SSHA}[NeeeNer NeeeNer NeeeNer]

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory   /var/lib/ldap2.4

# Tuning settings, please see the man page for slapd-bdb for more
information
# as well as the DB_CONFIG file in the database directory
# commented entries are at their defaults
# In-memory cache size in entries
#cachesize 1000
#

Unable to start slapd, syncrepl error

2011-09-23 Thread William S.










Oh the wise and mighty of the openLDAP community, 


I have an issue that I have not been able to understand. Partially because
I練 an enthusitis, not an expert in the domain. That being said, I've used
an openLDAP RPM compiled by one of the fellow *nix admins:
http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm
desparate enough to try this. I'll eventually use the spec to compile my own
RPM.


I'm running CentOS 5.7 x86_64 with the latest packages. I was able to
successfully install and configure openLDAP but when I attempt to start it
with MIrrorMode, it will not start. I ran slaptest to figure out where it's
hanging up on: 


[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf 
/etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before
syncrepl may be used
slaptest2.4: bad configuration file!


Any suggestions why it continues to complain about rootDN? I have it
specified and if slapd is going through the lines, it should have picked up
the rootdn before syncrepl. Thoughts? 


Here is my slapd.conf: 


include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/java.schema
include /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema


#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema
#include /usr/share/openldap2.4/schema/pilot.schema
#include /usr/share/openldap2.4/schema/qmail.schema
#include /usr/share/openldap2.4/schema/mull.schema
#include /usr/share/openldap2.4/schema/netscape-profile.schema
#include /usr/share/openldap2.4/schema/trust.schema


include /etc/openldap2.4/schema/local.schema
include /etc/openldap2.4/slapd.access.conf


access to dn.subtree=dc=domain,dc=pvt
by group=cn=Replicator,ou=Group,dc=domain,dc=pvt
by users read
by anonymous read
pidfile /var/run/ldap2.4/slapd.pid
argsfile /var/run/ldap2.4/slapd.args


modulepath /usr/lib64/openldap2.4


# database backend modules available:
#moduleloadback_dnssrv.la
#moduleloadback_ldap.la
#moduleloadback_meta.la
moduleloadback_monitor.la
#moduleloadback_passwd.la
#moduleloadback_sql.la


# overlay modules available:
#moduleload accesslog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload glue.la
#moduleload lastmod.la
#moduleload pcache.la
#moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
moduleload syncprov.la
#moduleload translucent.la
#moduleload unique.la


#contrib overlays
#moduleloadsmbk5pwd.so


# SASL config
#sasl-host ldap.domain.com


# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem
# and uncomment the following lines.
#TLSRandFile/dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile/etc/pki/tls/private/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem
#TLSCACertificatePath /etc/ssl/openldap2.4/
#TLSCACertificateFile/etc/ssl/cacert.pem
TLSCACertificateFile/etc/pki/tls/private/ldap.pem
#TLSVerifyClient never # ([never]|allow|try|demand)


# logging
#loglevel 256


###
# database definitions
###


database bdb
suffix dc=domain,dc=pvt
#suffix o=My Organization Name,c=US
rootdn cn=Manager,dc=domain,dc=pvt
#rootdn cn=Manager,o=My Organization Name,c=US


# Cleartext passwords, especially for the rootdn, should
# be avoided.See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}[NeeeNer NeeeNer NeeeNer]


# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap2.4


# Tuning settings, please see the man page for slapd-bdb for more
information
# as well as the DB_CONFIG file in the database directory
# commented entries are at their defaults
# In-memory cache size in entries
#cachesize 1000
# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed
# since the last checkpoint
checkpoint 256 5


# Indices to maintain
index objectClass eq


# persion-type searches
index cn,mail,surname,givenname
eq,subinitial


#

Re: schema question

2011-09-23 Thread Turbo Fredriksson

On Sep 20, 2011, at 12:05 AM, John Tobin wrote:

 dn: cn=fratbrother,o=delta
 cn: fratbrother
 sn: fratbrother
 objectclass: top
 objectclass: person
 userPassword: fratsecret
 
 [...]
 
 dn: cn=jctobin,dc=dark,dc=net
 cn: jctobin
 userPassword: Hello1$
 
 […]
 Ldap_add: Object class violation (65)
Additional info: no objectClass attribute
 
 Obviously my ldap server does not like the “userPassword”  class.

userPassword is an attribute, not an objectClass.

If you look at the first object, there's two object classes
defined in the objectClass attribute: 'top' and 'person'

Left of the colon is an attribute, right side is a value.

I.e., you specify the object class to use, using the objectClass
attribute...

 What have I not setup correctly?

Your knowledge of what LDAP is :).

 I need to get these users up and running.

No, what you need to do is go back to the drawing board and 
learn a little theory - you need to learn to walk before you
can drive… Kinda :).

-- 
Turbo Fredriksson
tu...@bayour.com

Re: multi master no syncing.

2011-09-23 Thread Howard Chu


Sébastien Bernard wrote:

Hi,

I've setup a multimaster cluster composed of two machine (in my example
192.168.0.204 and 192.168.0.197).
Everything is working ok and both side are replicating ok.

However, I've a problem I'd like to submit to your sagacity.

When I put down a server, and modify the other server (delete or add),
when the first server comes back, the modifications are not pushed in
the old server.
Server 1 says Entry cn=seb,ou=orgunit,o=org,dc=example,dc=com changed by
peer, ignored


You have not provided enough useful information (OpenLDAP version, exact 
server configurations, which one is server 1 in your description) to be 
certain. But most likely you have not configured their ServerIDs correctly.



Adding new entries works ok and synchronisation happens but for the
nodes altered while one of the servers was down, the modifications are
lost (or more precisely ignored by the other).

My questions:
  Is this normal behaviour (Maybe I got the configuration wrong) ?
  How may I force the missing entries to be replicated to the other ?
(Only solution I found is to wipe the entire database on the down server
that force a replication from its peer).

sincerely,
Seb

Here an extract of the slapd.log from server 1:
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrep2: rid=002 (-1) Can't
contact LDAP server
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
(4 retries left)
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrep2: rid=004 (-1) Can't
contact LDAP server
Sep 22 10:12:32 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
(4 retries left)
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1002 op=2 UNBIND
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1002 fd=19 closed
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1003 op=2 UNBIND
Sep 22 10:12:32 dhcp204 slapd[2689]: conn=1003 fd=20 closed
Sep 22 10:12:37 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:37 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
(3 retries left)
Sep 22 10:12:37 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:37 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
(3 retries left)

Sep 22 10:12:42 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:42 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
(2 retries left)
Sep 22 10:12:42 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:42 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
(2 retries left)
Sep 22 10:12:47 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:47 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
(1 retries left)
Sep 22 10:12:47 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:47 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
(1 retries left)
Sep 22 10:12:52 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:52 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
Sep 22 10:12:52 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:52 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
Sep 22 10:12:57 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=config ldap_sasl_bind_s failed (-1)
Sep 22 10:12:57 dhcp204 slapd[2689]: do_syncrepl: rid=002 rc -1 retrying
(4 retries left)
Sep 22 10:12:57 dhcp204 slapd[2689]: slap_client_connect:
URI=ldap://192.168.0.197 DN=cn=manager,dc=example,dc=com
ldap_sasl_bind_s failed (-1)
Sep 22 10:12:57 dhcp204 slapd[2689]: do_syncrepl: rid=004 rc -1 retrying
(4 retries left)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 fd=13 ACCEPT from
IP=192.168.0.197:55471 (IP=0.0.0.0:389)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 BIND
dn=cn=manager,dc=example,dc=com method=128
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 BIND
dn=cn=manager,dc=example,dc=com mech=SIMPLE ssf=0
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1007 op=0 RESULT tag=97 err=0
text=
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 fd=15 ACCEPT from
IP=192.168.0.197:55473 (IP=0.0.0.0:389)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 BIND dn=cn=config
method=128
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 BIND dn=cn=config
mech=SIMPLE ssf=0
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=0 RESULT tag=97 err=0
text=
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=1 SRCH
base=cn=config scope=2 deref=0 filter=(objectClass=*)
Sep 22 10:13:02 dhcp204 slapd[2689]: conn=1008 op=1 SRCH attr=* +
Sep 22

Re: rwm + cn=config

2011-09-23 Thread Howard Chu


Frava wrote:

Hi,

I got it working :

overlay rwm MUST be declared before database config in slapd.conf, then it
will be placed in olcDatabase={-1}frontend when converting with slaptest -f
slapd.conf -F slapd.d


Of course since you omitted that part of the slapd.conf you posted, nobody on 
the mailing list could have known this was relevant to your problem.


And for such global config items, you can eliminate all uncertainty by simply 
using database frontend to hold these overlays.



Rafael.

Hello,

I use the rwm overlay to forward the authentication of some users to the
general ldap replicas of my corp.

Part of slapd.conf :

###
...
overlay rwm
rwm-rewriteEngine   on
rwm-rewriteContext  bindDN
rwm-rewriteMap  ldap mysearch
ldap://ldap.example.com:389/ou=users,dc=example,dc=com?dn?sub
http://ldap.example.com:389/ou=users,dc=example,dc=com?dn?sub
rwm-rewriteRule ^uid=([^,]+),ou=people,dc=[^,]+,dc=example,dc=com$
${mysearch(((objectClass=posixAccount)(uid=$1)))} :@I

databaseldap
suffix ou=users,dc=example,dc=com
uri ldap://ldap.example.com:389/ http://ldap.example.com:389/
restrictread write extended

databasebdb
suffix dc=example,dc=com
rootdn cn=admin,dc=example,dc=com
rootpw  mypassword
directory   /var/db/openldap-data/mydb
...


Now I converted the 'slapd.conf' to 'cn=config' with slaptest, the remote
authentication stopped working;
and looking at cn=config, all the rules are there...

Any Ideas ?
Rafael NAVAZA.





--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Tutorial to make an overlay‏?

2011-09-23 Thread Howard Chu


Johan Jakus wrote:

Hello everyone,

I'm Johan and I am in the final year of my studies in industrial engineering.
For my stage, I've been asked to make an overlay for an OpenLDAP server.
But, I can't find any documentation on how to make an overlay,
could someone please redirect me to a tutorial or something likewise?


No such document exists. Perhaps you can produce one while engaged in your 
project. But in general, if you know anything about C programming, no such 
document is necessary. Overlays are pretty small pieces of code, read the code 
for any existing one and copy what it does. Probably the first dozen or so 
overlays were all copied and pasted from the original one, then customized as 
needed.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Schema question... userPassword doesn't work

2011-09-23 Thread Howard Chu


John Tobin wrote:

I have reviewed a number of pages to ensure I am doing what appears to be the
correct procedure, for instance :

_http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
_
Which lists:

File: fratbrother.ldif

dn: cn=fratbrother,o=delta
cn: fratbrother
sn: fratbrother
objectclass: top
objectclass: person
userPassword: fratsecret

ldapadd -f fratbrother.ldif -cxv -D cn=DeanWormer,o=delta -w secret2


And other similar updates.

But on my machine I create something simple like:

File : dark.ldif

dn: cn=jctobin,dc=dark,dc=net
cn: jctobin
userPassword: Hello1$

Ldapadd -x -D “cn=admin,dc=dark,dc=net” -W -f dark.ldif
Enter LDAP Password:
Adding new entry “cn=jctobin,dc=dark,dc=net”
Ldap_add: Object class violation (65)
Additional info: no objectClass attribute

Obviously my ldap server does not like the “userPassword” class.


Obviously you have the reading comprehension skills of a turnip.
The error message you received says nothing about userPassword at all.

Compare your dark.ldif to your fratbrother.ldif. One of these is not like the 
other. If you can't spot the differences, then you need more help than an 
email list can provide.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Unable to start slapd, syncrepl error

2011-09-23 Thread Howard Chu


William S. wrote:

Oh the wise and mighty of the openLDAP community,

I have an issue that I have not been able to understand. Partially because
I’m an enthusitis, not an expert in the domain. That being said, I've used
an openLDAP RPM compiled by one of the fellow *nix admins:
http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm
desparate enough to try this. I'll eventually use the spec to compile my own
RPM.

I'm running CentOS 5.7 x86_64 with the latest packages. I was able to
successfully install and configure openLDAP but when I attempt to start it
with MIrrorMode, it will not start. I ran slaptest to figure out where it's
hanging up on:

[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf
/etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before
syncrepl may be used
slaptest2.4: bad configuration file!

Any suggestions why it continues to complain about rootDN? I have it
specified and if slapd is going through the lines, it should have picked up
the rootdn before syncrepl. Thoughts?


You have placed these directives in your database monitor config, which has 
no rootdn configured. You probably meant to place them further up in the file, 
under the database bdb config.



Here is my slapd.conf:

include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/java.schema
include /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema

#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema
#include /usr/share/openldap2.4/schema/pilot.schema
#include /usr/share/openldap2.4/schema/qmail.schema
#include /usr/share/openldap2.4/schema/mull.schema
#include /usr/share/openldap2.4/schema/netscape-profile.schema
#include /usr/share/openldap2.4/schema/trust.schema

include /etc/openldap2.4/schema/local.schema
include /etc/openldap2.4/slapd.access.conf

access to dn.subtree=dc=domain,dc=pvt
 by group=cn=Replicator,ou=Group,dc=domain,dc=pvt
 by users read
 by anonymous read
pidfile /var/run/ldap2.4/slapd.pid
argsfile/var/run/ldap2.4/slapd.args

modulepath  /usr/lib64/openldap2.4

# database backend modules available:
#moduleload  back_dnssrv.la
#moduleload  back_ldap.la
#moduleload  back_meta.la
moduleload  back_monitor.la
#moduleload  back_passwd.la
#moduleload  back_sql.la

# overlay modules available:
#moduleload accesslog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload glue.la
#moduleload lastmod.la
#moduleload pcache.la
#moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
moduleload syncprov.la
#moduleload translucent.la
#moduleload unique.la

#contrib overlays
#moduleload  smbk5pwd.so

# SASL config
#sasl-host ldap.domain.com

# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem
# and uncomment the following lines.
#TLSRandFile/dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /etc/pki/tls/private/ldap.pem
TLSCertificateKeyFile   /etc/pki/tls/private/ldap.pem
#TLSCACertificatePath   /etc/ssl/openldap2.4/
#TLSCACertificateFile/etc/ssl/cacert.pem
TLSCACertificateFile/etc/pki/tls/private/ldap.pem
#TLSVerifyClient never # ([never]|allow|try|demand)

# logging
#loglevel 256

###
# database definitions
###

databasebdb
suffix  dc=domain,dc=pvt
#suffix o=My Organization Name,c=US
rootdn  cn=Manager,dc=domain,dc=pvt
#rootdn cn=Manager,o=My Organization Name,c=US

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpwsecret
# rootpw{crypt}ijFYNcSNctBYg
rootpw  {SSHA}[NeeeNer NeeeNer NeeeNer]

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory   /var/lib/ldap2.4

# Tuning settings, please

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

Re: migrating from (old) /etc/shadow to LDAP

schema question

JLDAP Search

multi master no syncing.

rwm + cn=config

OpenLDAP with MySQL backend not working

Newbie here

Re: rwm + cn=config

Tutorial to make an overlay‏?

Schema question... userPassword doesn't work

Unable to start slapd, syncrepl error

Unable to start slapd, syncrepl error

Re: schema question

Re: multi master no syncing.

Re: rwm + cn=config

Re: Tutorial to make an overlay‏?

Re: Schema question... userPassword doesn't work

Re: Unable to start slapd, syncrepl error

24 matches

Site Navigation

Mail list logo

Footer information