Permission management with LDAP
Hi again, I didn’t want to do a thread high jacking so here a second mail with a complete other question If I’have a structure like: User - Role Role - User - Permission Permission - Role Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server My Question: Is it possible to send only the DN of a Permissions and tell the Server, that he/she need to extract the Role attributes and check in the DN of a user for those Roles? Can I Implement an overlay on the Server to manage this task or is it senseless to think about such a task for the server? Greetings John -- Johannes Fischer Wissenschaftlicher Angestellter Fraunhofer-Institut für Produktionstechnik und Automatisierung IPA Kompetenzzentrum Digitale Werkzeuge in der Produktion Nobelstraße 12 │ 70569 Stuttgart Telefon +49 711 970-1217 johannes.fisc...@ipa.fraunhofer.demailto:johannes.fisc...@ipa.fraunhofer.de www.ipa.fraunhofer.dehttp://www.ipa.fraunhofer.de/ [cid:image002.png@01D0E168.63E7FA20]
load balancer
Hi team, I have two LDAP servers using mirrormode. I want to run a FREE service to achieve load balancer for these servers. Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, so my question is which kind of service do you advice for load balancer, or which kind service openldap supported? THANKS REGRADS
Re: Send Success with first found entry
Am Fri, 28 Aug 2015 05:42:37 + schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de: Hi again, more and more I get a feeling how all this work together. But often you don't know what you actually need to look up... I've looked on the LDAP server of the Institute to get a feeling how the real IT-guys managed their server... (It was a disaster from a data protection perspective...) Some things were quit nice, for example that the server send a success with the first found entry in a subtree. On my openLDAP instance I receive a entry of a subtree after 20-30ms but the success packet need 200ms. For me this behavior is not clear due to the fact, that the entries in the directory need to be unique. The Example: I'm using the Spring security framework and trigger with ldapTemplate.lookup(cn= + _name + ,dc=users); a lookup. On wireshark I see a search request with the scope baseObject and The Filter objectClass=*. After 33ms I receive a searchResEntry packet, so the Server found something and could also stop. But I think in the background all the other entries in the Subtree dc=users, are looked through also. After 230ms the success packet arrive at my computer. (see also Attachment) My Question, is there a possibility to emit a success together with the first found entry? In fact, this depends on your filter design. The rate of hits decreases with the degree of accuracy. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95N 10°08'02,42E
Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 + schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de: Hi again, I didn’t want to do a thread high jacking so here a second mail with a complete other question If I’have a structure like: User - Role Role - User - Permission Permission - Role Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like ((uid=$1)(memberOf=myGroup)) -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95N 10°08'02,42E
Re: load balancer
Le 28/08/2015 08:38, Eileen(=^??^=) a ??crit : Hi team, I have two LDAP servers using mirrormode. I want to run a FREE service to achieve load balancer for these servers. Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, so my question is which kind of service do you advice for load balancer, or which kind service openldap supported? Hi, I usually use HAProxy : http://www.haproxy.org/ -- Cl??ment OUDOT Consultant en logiciels libres, Expert infrastructure et s??curit?? Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS
Re: load balancer
If You use *BSD then I suggest relayd. Am 2015-08-28 08:38, schrieb Eileen(=^ω^=): Hi team, I have two LDAP servers using mirrormode. I want to run a FREE service to achieve load balancer for these servers. Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, so my question is which kind of service do you advice for load balancer, or which kind service openldap supported? THANKS REGRADS
openLDAP upgrate
Hi all, I'm starting as an openLDAP administrator, and here in my company they are running the openLDAP 2.4.35. - I found this avec la commande ldapsearch -VV I want to upgrade to the letest version available (2.4.42), how should I procede ? I read that I just need to download the new package, stop the server, install the new version and then restart the server, is that all? Thanks in advance for your help, Marc
Re: Permission management with LDAP
Am Fri, 28 Aug 2015 12:16:48 + schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de: Hi, I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member While adding the ldif, a unable to find group objectClass= GroupOfPermissions The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass? [...] Check whether groupOfPermissions is loaded at all: ldapsearch -x -H ldap://localhost -b cn=subschema -s base + \ | grep -A2 'groupOfPermisssions' and what is the syntax of permissionmember and member? -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95N 10°08'02,42E
AW: Permission management with LDAP
Hi, I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member While adding the ldif, a unable to find group objectClass= GroupOfPermissions The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass? Greetings John -Ursprüngliche Nachricht- Von: Dieter Klünter [mailto:die...@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP Am Fri, 28 Aug 2015 06:06:06 + schrieb Fischer, Johannes johannes.fisc...@ipa.fraunhofer.de: Hi again, I didn’t want to do a thread high jacking so here a second mail with a complete other question If I’have a structure like: User - Role Role - User - Permission Permission - Role Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like ((uid=$1)(memberOf=myGroup)) -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95N 10°08'02,42E
Re: load balancer
I'm not sure if relayd is actually useful for LDAP. Maybe you want to check out HAProxy, it already has a good built in healthcheck (ldap-check) and a distibution method (leastconn) for LDAP. On 08/28/2015 11:29 AM, Uwe Werler wrote: If You use *BSD then I suggest relayd. Am 2015-08-28 08:38, schrieb Eileen(=^ω^=): Hi team, I have two LDAP servers using mirrormode. I want to run a FREE service to achieve load balancer for these servers. Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, so my question is which kind of service do you advice for load balancer, or which kind service openldap supported? THANKS REGRADS
RHEL7 OpenLDAP server is not enforcing password expirations
Hello, I’ve done a lot or research and re-read the OpenLDAP configuration guides but I cannot get my OpenLDAP 2.39 server to not allow users with expired passwords to login to ldap enabled clients. What directive in the /etc/pam.d/ files controls the users password expiration attribute? pam_unix or pam_ldap? Setup: Server: RHEL7 OS Software: OpenLdap 2.4.39 server using slapd service Client: RHEL7 OS Software: enabled Ldap via authconfig, using sssd service Thank you, Liz
2.4.17 - 2.4.39 replication: null callback : error code 0x10
Hello! Aug 21 01:42:45 slapd[4658]: null_callback : error code 0x10 Aug 21 01:42:45 slapd[4658]: syncrepl_entry: rid=107 be_modify failed (16) Aug 21 01:42:45 slapd[4658]: do_syncrepl: rid=107 rc 16 retrying (9 retries left) Master (OpenLDAP: slapd 2.4.17, 64bit openSUSE 11.2) and slave (OpenLDAP: slapd 2.4.31, 64bit openSUSE 12.2) master slapd.conf syncprov configuration : ... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 .. slave master slapd.conf syncprov configuration: ... syncrepl rid=107provider=ldaps://master.domen.com \ type=refreshOnly \ interval=00:00:02:00 \ scope=sub \ schemachecking=off \ searchbase=dc=domen,dc=com \ bindmethod=simple \ binddn=dc=domen,dc=com \ credentials= \ retry=60 10 300 10 .. I have these errors on all my slaves. What may be the cause of those errors? I have no idea about that. Please HELP!
ppolicy and pwdGraceUseTime
Openldap 2.4.39 Adding in policy in already running OpenLDAP installation. Mostly functional - I was locked out after failed password attempts as expected. Existing user with password beyond expiration is an issue. It is extended grace logins as expected but when I try to change the password, I get an error which appears to be error 16 - modify/delete: pwdGraceUseTime: no such attribute But there is that attribute. # ldapsearch -x -h localhost '(uid=craig.white)' + Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=obscured (default) with scope subtree # filter: (uid=craig.white) # requesting: + # # craig.white, People, obscured dn: uid=craig.white,ou=People,dc=obscured entryUUID: c4ae47b4-c3e9-1033-8b0f-497efc42df64 creatorsName: cn=root,dc=obscured createTimestamp: 20140829170048Z pwdChangedTime: 20150730153646Z structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=obscured pwdGraceUseTime: 20150827230337Z pwdGraceUseTime: 20150827230344Z pwdGraceUseTime: 20150827230351Z pwdGraceUseTime: 20150827230430Z pwdGraceUseTime: 20150827230441Z pwdGraceUseTime: 20150827230847Z pwdGraceUseTime: 20150827230855Z pwdGraceUseTime: 20150827231032Z pwdGraceUseTime: 20150827231039Z pwdGraceUseTime: 20150828152032Z pwdGraceUseTime: 20150828152038Z pwdGraceUseTime: 20150828152404Z pwdGraceUseTime: 20150828152410Z pwdGraceUseTime: 20150828152527Z pwdGraceUseTime: 20150828152533Z pwdGraceUseTime: 20150828152643Z pwdGraceUseTime: 20150828152648Z pwdGraceUseTime: 20150828153349Z pwdGraceUseTime: 20150828153354Z pwdGraceUseTime: 20150828153619Z pwdGraceUseTime: 20150828153623Z entryCSN: 20150828154229.701657Z#00#000#00 modifiersName: cn=admin,dc=obscured modifyTimestamp: 20150828154229Z entryDN: uid=craig.white,ou=People,dc=obscured subschemaSubentry: cn=Subschema hasSubordinates: FALSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Why won't it let me change my password? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032