Permission management with LDAP

2015-08-28 Thread Fischer, Johannes 
Hi again,

I didn’t want to do a thread high jacking so here a second mail with a complete 
other question

If I’have a structure like:
User

-  Role
Role

-  User

-  Permission
Permission

-  Role

Now I want to get the authorization for some permission, So I have the 
information which user and which Permission. Now I need to match the list.
The way it already work:
Get all Roles for a Permission
Search in the user for the Role
If found Authorization
Else no
Therefore I need at least two requests to the LDAP server

My Question:
Is it possible to send only the DN of a Permissions and tell the Server, that 
he/she need to extract the Role attributes and check in the DN of a user for 
those Roles?
Can I Implement an overlay on the Server to manage this task or is it senseless 
to think about such a task for the server?

Greetings John

--
Johannes Fischer
Wissenschaftlicher Angestellter

Fraunhofer-Institut für
Produktionstechnik und Automatisierung IPA

Kompetenzzentrum Digitale Werkzeuge in der Produktion

Nobelstraße 12 │ 70569 Stuttgart
Telefon +49 711 970-1217

johannes.fisc...@ipa.fraunhofer.demailto:johannes.fisc...@ipa.fraunhofer.de
www.ipa.fraunhofer.dehttp://www.ipa.fraunhofer.de/

[cid:image002.png@01D0E168.63E7FA20]

load balancer

2015-08-28 Thread Eileen(=^??^=) 
Hi team,
   I have two LDAP servers using mirrormode. I want to run a  FREE service to 
achieve load balancer for these servers. 
   Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, 
so my question is which kind of service do you advice for load balancer, or 
which kind service openldap supported?


THANKS  REGRADS

Re: Send Success with first found entry

2015-08-28 Thread Dieter Klünter 
Am Fri, 28 Aug 2015 05:42:37 +
schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de:

 Hi again,
 
 more and more I get a feeling how all this work together. But often
 you don't know what you actually need to look up...
 
 I've looked on the LDAP server of the Institute to get a feeling how
 the real IT-guys managed their server... (It was a disaster from a
 data protection perspective...) Some things were quit nice, for
 example that the server send a success with the first found entry
 in a subtree.
 
 On my openLDAP instance I receive a entry of a subtree after 20-30ms
 but the success packet need 200ms. For me this behavior is not clear
 due to the fact, that the entries in the directory need to be unique.
 
 The Example:
 I'm using the Spring security framework and trigger with
 ldapTemplate.lookup(cn= + _name + ,dc=users); a lookup. On
 wireshark I see a search request with the scope baseObject and The
 Filter objectClass=*. After 33ms I receive a searchResEntry packet,
 so the Server found something and could also stop. But I think in the
 background all the other entries in the Subtree dc=users, are
 looked through also. After 230ms the success packet arrive at my
 computer. (see also Attachment)
 
 My Question, is there a possibility to emit a success together with
 the first found entry?

In fact, this depends on your filter design. The rate of hits decreases
with the degree of accuracy.

-Dieter



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95N
10°08'02,42E

Re: Permission management with LDAP

2015-08-28 Thread Dieter Klünter 
Am Fri, 28 Aug 2015 06:06:06 +
schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de:

 Hi again,
 
 I didn’t want to do a thread high jacking so here a second mail with
 a complete other question
 
 If I’have a structure like:
 User
 
 -  Role
 Role
 
 -  User
 
 -  Permission
 Permission
 
 -  Role
 
 Now I want to get the authorization for some permission, So I have
 the information which user and which Permission. Now I need to match
 the list. The way it already work: Get all Roles for a Permission
 Search in the user for the Role
 If found Authorization
 Else no
 Therefore I need at least two requests to the LDAP server

For this sort of tasks I use slapo-memberof(5) and a proper filter. 
Something like ((uid=$1)(memberOf=myGroup))

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95N
10°08'02,42E

Re: load balancer

2015-08-28 Thread Clément OUDOT 



Le 28/08/2015 08:38, Eileen(=^??^=) a ??crit :

Hi team,
   I have two LDAP servers using mirrormode. I want to run a  FREE 
service to achieve load balancer for these servers.
   Due to i can't find any load balancer information in 
OpenLDAP-Admin-Guide, so my question is which kind of service do you 
advice for load balancer, or which kind service openldap supported?




Hi,

I usually use HAProxy : http://www.haproxy.org/

--
Cl??ment OUDOT
Consultant en logiciels libres, Expert infrastructure et s??curit??
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS

Re: load balancer

2015-08-28 Thread Uwe Werler 

If You use *BSD then I suggest relayd.

Am 2015-08-28 08:38, schrieb Eileen(=^ω^=):

Hi team,
 I have two LDAP servers using mirrormode. I want to run a FREE
service to achieve load balancer for these servers.
 Due to i can't find any load balancer information in
OpenLDAP-Admin-Guide, so my question is which kind of service do you
advice for load balancer, or which kind service openldap supported?

THANKS  REGRADS

openLDAP upgrate

2015-08-28 Thread mdii 
Hi all,

I'm starting as an openLDAP administrator, and here in my company they are
running the openLDAP 2.4.35.

 - I found this avec la commande ldapsearch -VV

I want to upgrade to the letest version available (2.4.42), how should I
procede ?

I read that I just need to download the new package, stop the server,
install the new version and then restart the server, is that all?


Thanks in advance for your help,
Marc

Re: Permission management with LDAP

2015-08-28 Thread Dieter Klünter 
Am Fri, 28 Aug 2015 12:16:48 +
schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de:

 Hi,
 
 I've tried your  idea. It worked well with groupOfNames.
 Then I've tried to implement the memberof overlay for a user specific
 objectClass: Dn: olcOverlay={1}
 objectClass: olcConfig
 objectClass: olcOverlayConfig
 objectClass: olcMemberOf
 olcOverlay: memberof
 olcMemberOfDangling: ignore
 olcMemberOfRefInt: TRUE
 olcMemberOfGroupOC: GroupOfPermissions
 olcMemberOfMemberAD: permissionMember
 olcMemberOfMemberOfAD: member
 
 While adding the ldif, a unable to find group objectClass=
 GroupOfPermissions  The objectClass is available on the server and
 is a self created objectclass. Do I have to include some paths to
 announce the objectClass?

[...]

Check whether groupOfPermissions is loaded at all:
ldapsearch -x -H ldap://localhost -b cn=subschema -s base + \
 | grep -A2 'groupOfPermisssions'

and what is the syntax of permissionmember and member?

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95N
10°08'02,42E

AW: Permission management with LDAP

2015-08-28 Thread Fischer, Johannes 
Hi,

I've tried your  idea. It worked well with groupOfNames.
Then I've tried to implement the memberof overlay for a user specific 
objectClass:
Dn: olcOverlay={1}
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: GroupOfPermissions
olcMemberOfMemberAD: permissionMember
olcMemberOfMemberOfAD: member

While adding the ldif, a unable to find group objectClass= GroupOfPermissions 

The objectClass is available on the server and is a self created objectclass.
Do I have to include some paths to announce the objectClass?

Greetings John


-Ursprüngliche Nachricht-
Von: Dieter Klünter [mailto:die...@dkluenter.de] 
Gesendet: Freitag, 28. August 2015 09:36
An: Fischer, Johannes
Cc: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Fri, 28 Aug 2015 06:06:06 +
schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de:

 Hi again,
 
 I didn’t want to do a thread high jacking so here a second mail with a 
 complete other question
 
 If I’have a structure like:
 User
 
 -  Role
 Role
 
 -  User
 
 -  Permission
 Permission
 
 -  Role
 
 Now I want to get the authorization for some permission, So I have the 
 information which user and which Permission. Now I need to match the 
 list. The way it already work: Get all Roles for a Permission
 Search in the user for the Role If found Authorization 
 Else no Therefore I need at least two requests to the LDAP server

For this sort of tasks I use slapo-memberof(5) and a proper filter. 
Something like ((uid=$1)(memberOf=myGroup))

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95N
10°08'02,42E

Re: load balancer

2015-08-28 Thread Mario Bedenk 
I'm not sure if relayd is actually useful for LDAP.
Maybe you want to check out HAProxy, it already has a good built in
healthcheck (ldap-check) and a distibution method (leastconn) for LDAP.


On 08/28/2015 11:29 AM, Uwe Werler wrote:
 If You use *BSD then I suggest relayd.
 
 Am 2015-08-28 08:38, schrieb Eileen(=^ω^=):
 Hi team,
  I have two LDAP servers using mirrormode. I want to run a FREE
 service to achieve load balancer for these servers.
  Due to i can't find any load balancer information in
 OpenLDAP-Admin-Guide, so my question is which kind of service do you
 advice for load balancer, or which kind service openldap supported?

 THANKS  REGRADS

RHEL7 OpenLDAP server is not enforcing password expirations

2015-08-28 Thread Real, Elizabeth (392K) 
Hello,

I’ve done a lot or research and re-read the OpenLDAP configuration guides but I 
cannot get my OpenLDAP 2.39 server to not allow users with expired passwords to 
login to ldap enabled clients. What directive in the /etc/pam.d/ files controls 
the users password expiration attribute? pam_unix or pam_ldap?

Setup:

Server: RHEL7 OS
Software: OpenLdap 2.4.39 server using slapd service

Client: RHEL7 OS
Software: enabled Ldap via authconfig, using sssd service

Thank you,
Liz

2.4.17 - 2.4.39 replication: null callback : error code 0x10

2015-08-28 Thread Andrei Valoshyn 

Hello!


Aug 21 01:42:45 slapd[4658]: null_callback : error code 0x10
Aug 21 01:42:45 slapd[4658]: syncrepl_entry: rid=107 be_modify failed 
(16)
Aug 21 01:42:45 slapd[4658]: do_syncrepl: rid=107 rc 16 retrying (9 
retries left)


Master (OpenLDAP: slapd 2.4.17, 64bit openSUSE 11.2) and slave 
(OpenLDAP: slapd  2.4.31, 64bit openSUSE 12.2)


master slapd.conf syncprov configuration :
...
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
..

slave master slapd.conf syncprov configuration:
...
syncrepl rid=107provider=ldaps://master.domen.com \
type=refreshOnly \
interval=00:00:02:00 \
scope=sub \
schemachecking=off \
searchbase=dc=domen,dc=com \
bindmethod=simple \
binddn=dc=domen,dc=com \
credentials= \
retry=60 10 300 10
..

I have these errors on all my slaves. What may be the cause of those 
errors? I have no idea about that. Please HELP!

ppolicy and pwdGraceUseTime

2015-08-28 Thread Craig White 
Openldap 2.4.39

Adding in policy in already running OpenLDAP installation. Mostly functional - 
I was locked out after failed password attempts as expected.

Existing user with password beyond expiration is an issue. It is extended grace 
logins as expected but when I try to change the password, I get an error which 
appears to be  error 16 - modify/delete: pwdGraceUseTime: no such attribute

But there is that attribute.

# ldapsearch -x -h localhost '(uid=craig.white)' +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base dc=obscured (default) with scope subtree
# filter: (uid=craig.white)
# requesting: +
#

# craig.white, People, obscured
dn: uid=craig.white,ou=People,dc=obscured
entryUUID: c4ae47b4-c3e9-1033-8b0f-497efc42df64
creatorsName: cn=root,dc=obscured
createTimestamp: 20140829170048Z
pwdChangedTime: 20150730153646Z
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=obscured
pwdGraceUseTime: 20150827230337Z
pwdGraceUseTime: 20150827230344Z
pwdGraceUseTime: 20150827230351Z
pwdGraceUseTime: 20150827230430Z
pwdGraceUseTime: 20150827230441Z
pwdGraceUseTime: 20150827230847Z
pwdGraceUseTime: 20150827230855Z
pwdGraceUseTime: 20150827231032Z
pwdGraceUseTime: 20150827231039Z
pwdGraceUseTime: 20150828152032Z
pwdGraceUseTime: 20150828152038Z
pwdGraceUseTime: 20150828152404Z
pwdGraceUseTime: 20150828152410Z
pwdGraceUseTime: 20150828152527Z
pwdGraceUseTime: 20150828152533Z
pwdGraceUseTime: 20150828152643Z
pwdGraceUseTime: 20150828152648Z
pwdGraceUseTime: 20150828153349Z
pwdGraceUseTime: 20150828153354Z
pwdGraceUseTime: 20150828153619Z
pwdGraceUseTime: 20150828153623Z
entryCSN: 20150828154229.701657Z#00#000#00
modifiersName: cn=admin,dc=obscured
modifyTimestamp: 20150828154229Z
entryDN: uid=craig.white,ou=People,dc=obscured
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Why won't it let me change my password?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png@01CF86FE.42D51630]

SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032