Re: query across ou

[Michael Ströder]

Chuck Theobald wrote:

Is there a way to perform a single query an LDAP database such that I can
retrieve the group name (cn) from a user's full name (cn). My structure holds
user accounts in ou=People and groups in ou=Group. I know I can ask for
gidNumber from the People tree, then reference the group in the Group tree,
but with an SQL background, I would like a single query.


Not feasible in general. The LDAP functional model is much simpler than SQL.

Depending on the group schema used in your deployment you could configure the 
server with slapo-memberof. Then slapd maintains a back-link to the group 
entries from the member entry. By default it's attribute 'memberOf' 
(configurable) and always contains the full DN of all group entries. This only 
works if using RFC 2307bis style posixGroup entries with attribute 'member' 
pointing to member entries (not 'memberUID').


If you have to provide also 'memberUID' group relation attribute to some 
legacy clients you can define a hybrid groupOfNames/posixGroup object class 
like described herein:


http://www.ietf.org/mail-archive/web/ldapext/current/msg02112.html

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: query across ou

[Liam Gretton]

On 29/04/2015 07:59, Michael Ströder wrote:
 Chuck Theobald wrote:
 Is there a way to perform a single query an LDAP database such that I can
 retrieve the group name (cn) from a user's full name (cn). My structure holds
 user accounts in ou=People and groups in ou=Group. I know I can ask for
 gidNumber from the People tree, then reference the group in the Group tree,
 but with an SQL background, I would like a single query.
 
 Not feasible in general. The LDAP functional model is much simpler than SQL.
 
 Depending on the group schema used in your deployment you could configure the 
 server with slapo-memberof. Then slapd maintains a back-link to the group 
 entries from the member entry. By default it's attribute 'memberOf' 
 (configurable) and always contains the full DN of all group entries. This 
 only 
 works if using RFC 2307bis style posixGroup entries with attribute 'member' 
 pointing to member entries (not 'memberUID').

I think what Chuck wants to do is dereference a user's primary group ID
from their gidNumber attribute to get the group name. The primary group
does not appear in the memberOf list with slapo-memberof as the user
won't be in the list of members for that group.

Only way is indeed to do two lookups: get the user's gidNumber, then the
group name associated with the gidNumber.

-- 
Liam Grettonliam.gret...@le.ac.uk
Systems Specialist   http://www.le.ac.uk/its/
IT Services   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom

Re: getent passwd only catch local user passwd

[Andrew Findlay]

On Tue, Apr 28, 2015 at 07:49:07PM +, Yingbo Li wrote:

 I am new to LDAP.  The company’s IT own LDAP server, I tried to configure
 openldap client but failed. My OS is CentOS 7, openldap is 2.4.39.
 
 I configured ldap and ldaps. I can use ldapsearch to find out full ldap info 
 of
 my LDAP account. I configured with authconfig-tui. I also modified /etc/pam.d/
 system-auth and password-auth, change pam_sss.so to pam_ldap.so. While when I
 tried getent passwd, I can only find local users. I cannot su to my LDAP
 account. Why?

You have probably messed up the config by making those changes. CentOS 7 
expects to
use SSSD to access LDAP: it provides useful services and isolates system 
processes
from the LDAP service so you should not try to bypass it.

Lots of useful information here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.html#SSSD-Introduction

Rather than editing config files directly, try to get a basic system running by
using the authconfig command. This should make sure that you have a consistent
setup. Better still, select LDAP authentication when you install the system and 
let
the install wizard help you through the process.

If your LDAP service places size limits or restrictive access-control on the 
data
you may need to create an account for SSSD to bind with so that it can bypass 
the
limits.

This is not really an OpenLDAP problem, so you are likely to get more detailed 
help
on a Red Hat or CentOS mailing list or forum.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Ldap challenge

[Ross, Daniel B.]

Thanks,
I will read over this and see if I can make it work.
Daniel




From: Andrew Findlay andrew.find...@skills-1st.co.uk
Sent: Monday, April 27, 2015 3:06 PM
To: Ross, Daniel B.
Cc: openldap-technical@openldap.org
Subject: Re: Ldap challenge

On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote:

 ismemberof  does not exist  we have to use memberof

Memberof is fairly common. I don't think I have ever found a system
that used 'ismemberof'.

Note that maintaining memberof takes some work so it
is not enabled on all LDAP servers by default.

 nsUniqueId we have to use objectGUID

What do you use nsUniqueId for? Probably not a problem anyway as you
may be able to use other similar attributes as you mention above.

 no uniqueMember again can only use memberof.

uniqueMember and memberOf have completely different use-cases:
uniqueMember is used just like 'member' in most cases, to indicate
which entries are members of the group that it appears in.
memberOf indicates which groups the entry that it appears in is a
member of (i.e. it is the inverse mapping).

 while there is a guarantee of person there is not the same for Posixaccount 
 or shadowaccount.

Ah - if you lack those attributes then AD is certainly not going to do
the job on its own.

 While I have been able to get linux with SSSD to work, to some extent, with 
 this its rather hit and miss and the Solaris systems just wont work at all.  
 This is why I was hoping to be able to use the campus for the username and 
 password, and then provide the rest from a local ldap server.   It doesnt 
 sound like this is really possible.

Yes - it should be possible but it will take a bit more work.

 saslauthd did not work at all with the MS LDS.

Did you try following the instructions here?:


http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Note that you will need the DN and password of an existing AD user
to allow saslauthd to do LDAP searches on AD. You can try the
ldapsearch commands from section 14.5.3 without any other setup to
test that you have a good user account.

In principle it may be better to do Kerberos authentication against AD
rather than LDAP, but I didn't have a Kerberos server handy when I
wrote that bit.

 What is a parallel or overlay directory service?

Parallel would be where you replicate some subset of data from AD into
a local LDAP server, which then operates as a self-contained system.
You could have the replication process create or look up Unix-specific
attributes like UID and GID for new accounts.

Overlay would be where you use what you can get from AD, and put a
translucent overlay on top containing Unix-specific data that you
administer locally.

In either case you need to decide how to handle password checking and
account locking.

All of my customers so far have chosen the parallel approach, as that
allows the Unix LDAP to continue working if it loses access to AD.
Ideally this includes installing a module on the AD Domain Controllers
that detects password changes and forwards them immediately to the Unix
LDAP. I have generally used Microsoft's SFU password-capture module for
this as AD admins seem happier to install Microsoft code than things from
other sources. It does have its problems though, and the code quality
of the Unix end that they provide leaves a lot to be desired. I believe
newer AD versions come with an updated version of this built in, but I
have not tested it.

Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

RE: getent passwd only catch local user passwd

[Yingbo Li]

Findlay,

Thanks for your help! But the problem is not addressed. On centOS 6 and 7 I 
test getent passwd yli28. The same result, no ouput. On my own ldap client 
server env, both cnetos 6.6, it works. I started sssd on client. It did not 
work. Then  I start nscd. It still not work.

I would like to list all my configurations here:
/etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.91.96.141LVD-LDAP-C6IT   hostname
10.91.96.142LDV-LDAP-CENT6

/etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE ou=people,dc=ra-int,dc=com
#URIldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://usmkemsi107.ra-int.com
#URI10.91.96.142
#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never

TLS_CACERTDIR /etc/openldap/cacerts

/etc/nsswitch.conf (All sss were replaced by ldap. Both did not work)


passwd: files ldap
shadow: files ldap
group:  files ldap

#hosts: db files nisplus nis dns
hosts:  files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files 

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files ldap

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:files nisplus

/etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=ra-int,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://usmkemsi107.ra-int.com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
config_file_version = 2
enumerate = true

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid  500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid  500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

Yesterday, I configured LDAP authentication on Artifactory (a repository 
software) on centos 7. It works. I use ldapsearch -x -D binddn_username -w 
password samaccount=yli28. It works.

I really do not know what else can I do to make getent work. Then I can su  
yli28.

If you find anything wrong, please let me know. I can only configure the client 
side, the LDAP server controlled by IT.

Thank you!
Yingbo

Re: modifying cn=config with ldapmodify

[Abdelhamid Meddeb]

Hi,

In your ssl.ldif file there is a *blank* line too after changetype: modify
This is not reported in your first post but it apear in seconde one.
I have reproduced the same symptoms with this empty line

More details bellow

Cheers.

Le 29/04/2015 12:56, Robert Munn a écrit :

My replies inline...

On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB abdelha...@meddeb.net 
mailto:abdelha...@meddeb.net wrote:



Hi,


Le 25/04/2015 15:10, Robert Munn a écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP 
instance running on Ubuntu using ldapmodify.



I followed directions on the Ubuntu wiki:

https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls

using a modified ldif file for the replace:

|dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|

|All right|

Empty line is not reported here.
When it didn’t work on my existing instance I built a new instance 
in a new Ubuntu VM (14.04) and tried the original directions from 
Ubuntu. That did not work either.

May be you've missed some settings at build time like --with-tls


I installed OpenLDAP using apt. The .deb package must include TLS 
because I added the certificates manually.





The ldapmodify command executes correctly but it seems that the 
change is not registered by the server. This is the case in both the 
new instance and the old instance of OpenLDAP.
No error message like Insufficient access (50) ? and you should 
check the write (manage)rights to cn=config database.


The command I ran (as sudo) and the message:

ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry cn=config”

and ssl.ldif :

dn: cn=config
changetype:modify

replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/CAcert
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/cert
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/cert.key

But we show it here, and content changes (strangely)  the cn=config.ldif 
last modified timestamp, but do nothing realy
cn=config.ldif is being modified by the ldapmodify process, I verified 
that by changing file permissions on cn=config.ldif, running the 
ldapmodify command, and then checking cn=config.ldif. ldapmodify 
updated the timestamp and file permissions on the file. The file 
changed, but the configuration changes in ssl.ldif were not made in 
cn=config.ldif.



I ended up replacing the values (or adding them in the new instance) 
in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the 
changes manually and restarting slapd works, but my understanding 
was that changes to cn=config should be made through ldapmodify.

Bad practice, it's best to avoid.


Yes, and when I can modify the configuration using ldapmodify, I will 
no longer make the changes manually.


I found a note about enabling logging using ldapmodify:

https://help.ubuntu.com/lts/serverguide/openldap-server.html

logging.ldif:

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

I executed this command on my first instance and it added the logging 
to cn=config. I executed this command on the second instance, where 
olcLogLevel already existed, and it did not alter the log level.


I have also been experimenting with this script:

https://github.com/cepharum/slapd-config

With it, I was able to delete the TLS entries from cn=config:

slapd-config raw delete cn=config olcTLSCACertificateFile 1

but when I tried to add the entries back, I got this error:

slapd-config raw insert cn=config olcTLSCACertificateFile 1 
/etc/ssl/certs/cert.pem

modifying entry 
ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported



I have not looked at the details but it seems that there is a bug in 
this script. (modifying entry )


I was able to change the olcLogLevel back to its original state vi 
ldapmodify, so maybe there is something particular about the TLS 
entries, perhaps having to do with permissions on the certs and keys 
themselves?


I have come across this bug in several forums and have yet to see 
someone who solved it in the “correct” manner using ldapmodify.



Robert





I also found a tech note at CentOS:

https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Accessing_and_Modifying_Server_Configuration.html
in section 2.2.2.2 that indicates changes to cn=config will be ignored:

If an attribute is added to |cn=config|, the server ignores it.


So am I mistaken? Do I need to do 

Objectclass not enabled in PHPldapadmin

[Gokulnath Arjunan]

Hi,

 

I have installed LDAP 2.4 version and using phpldapadmin to manage it. I am
not seeing all the options enabled in create object page. Like I can see
Generic: Organisational Role and Generic: Organisational Unit but other
options like Generic: Address Book Entry, Generic: Posix Group,  Generic:
User Account are in disabled mode. I want them to be available to create
group and users. Please guide 

me how to resolve this issue. 

 

I noticed below errors/warning during login to phpldapadmin and not sure
about it.

 

Samba: Group Mapping: posixGroup removed from template as it is not defined
in the schema

Alias: inetOrgPerson removed from template as it is not defined in the
schema

 

Thanks 

Gokulnath