Re: How to properly monitor MDB usage
Le mar. 7 mai 2024 à 19:32, Benjamin Renard a écrit : > > @Clément: I also implemented a similar monitoring plugin :) > (https://exchange.icinga.com/brenard/check_mdb). Don't forget to share > your works on this great website (and possibly on > https://exchange.nagios.org) ;) > > Great, thanks for the pointers!
Re: How to properly monitor MDB usage
Le 07/05/2024 à 17:07, Benjamin Renard a écrit : Hi, I'm looking for the right method to monitor the usage of an MDB database according to the limit of its size imposed via the parameter olcDbMaxSize. Currently, I am using the following command: # mdb_stat -e /var/lib/ldap/accesslog/ Environment Info Map address: (nil) Map size: 4294967296 Page size: 4096 Max pages: 1048576 Number of pages used: 1048572 Last transaction ID: 24153425 Max readers: 126 Number of readers used: 18 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 6 Here, I determine the percentage of database usage with the information "Number of pages used" and "Max pages". This seemed to be a good method, but I noticed that after a significant purge of objects in the directory, the number of used pages does not seem to decrease. Is there another and/or better method to monitor this? Failing that, is there a solution to release "falsely" used pages, ideally without too much downtime of the service (so not a dump/restore)? I read that it was possible to use the "mdb_copy -c" command, but I am a little concerned about the duration on a database with approximately 1,000,000 entries. Thank you in advance. Hello Benjamin, if it helps, we have created a monitoring script for this: https://ltb-project.org/documentation/check_lmdb_usage.html -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Group ACLs
Le 04/10/2023 à 14:46, Emmanuel Seyman a écrit : Hello, all. I have an instance of OpenLDAP in which I use groups to manage access controls, similar to the way the FAQ and admin guide describe it. My DIT layout: uid=userildr1,ou=people,o=gdAA,dc=example,dc=com uid=userildr2,ou=people,o=gdAA,dc=example,dc=com ... cn=readINT,ou=groups,o=gdAA,dc=example,dc=com cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com ... ou=people,o=INT,dc=example,dc=com ... ou=groups,o=INT,dc=example,dc=com Outside of the DIT, my slapd.conf file (yes, I know) contains: access to dn.sub="o=INT,dc=example,dc=com" by self write by group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com" read The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT group yet seems unable to run a search. I get an error 50 ("Operations are restricted to bind/unbind/abandon/StartTLS/modify password") and cannot figure out why this is happening. If anyone can tell me what's going on, I would appreciate it. I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context" in the log files but this looks harmless. This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages. Logs and the configuration file are available if necessary. Hello Emmanuel, the error "Operations are restricted to bind/unbind/abandon/StartTLS/modify password" means the account has the pwdReset flag set to TRUE and must reset its password. It is linked to password policy. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks |https://www.worteks.com
LTB packages available for OpenLDAP 2.5.15 and 2.6.5
Hello, for people interested, the LDAP Tool Box project has published the packages for OpenLDAP 2.5.15 and 2.6.5. https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-5-15-and-2-6-5-packages-released/ -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdAccountLockedTime does not have any impact
Le 11/07/2023 à 11:41, CVZ a écrit : Hi Everybody, <https://stackoverflow.com/posts/76341444/timeline> Sorry, we are figghting with pwdAccountLockedTime. I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked. I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-in-openldap;, then I have checked that the module is loaded and I did not have any problem: |$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy | Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime". No need to do that, pwdAccountLockedTime is an operational attribute. I have set it to "010100Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked. We also tried to modify the value dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server. Any idea? Thank in advance for your help. Check that pwdLockout is set to TRUE in your ppolicy. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks |https://www.worteks.com
Re: migration 2.4 -> 2.5 (bdb -> mdb) | monitoring & health checks
Le mer. 21 juin 2023 à 08:39, cYuSeDfZfb cYuSeDfZfb a écrit : > Hi Quanah, > > Thanks for your answer and kind suggestions! We will implement them. > > And anyone here using zabbix, and has some scripting for monitoring laying > around..? > > Hello, we provide some monitoring scripts in LDAP Tool Box project, for example: https://ltb-project.org/documentation/check_lmdb_usage.html Clément.
Re: RoleOccupant filter
Le 07/03/2023 à 06:58, forumforeign a écrit : 06.03.23 19:14, Clément OUDOT пише: Le 06/03/2023 à 16:13, forumforeign a écrit : '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' '(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant How I can change filter, that check if user1 belong to group developer? Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else. Unfortunately it also doesn't work: $ openldapsearch -v -H ldaps:// -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' RoleOccupant Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com)) # requesting: RoleOccupant # # search result search: 2 result: 0 Success # numResponses: 1 Also, I have tried (without RoleOccupant at the end) $ openldapsearch -v -H ldaps:// -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' There was a typo in the filter, the attribute of the RDN was missing : '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=uid=user1,ou=people,dc=domain,dc=com))' -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: RoleOccupant filter
Le 06/03/2023 à 16:13, forumforeign a écrit : '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' '(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant How I can change filter, that check if user1 belong to group developer? Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Checking users password
Le 22/11/2022 à 11:52, Ian Porter a écrit : Hi I have tried to change a users password either by ldappasswd -H ldapi:/// -x -D "ADMIN ACCOUNT" -W -S "uid=USER,ou=USER,o=ORG" or via a ldif file with ldapmodify ldapmodify -H ldap:// -x -D "ADMIN ACCOUNT" -W -f ./password.ldif dn: uid=USER,ou=USER,o=ORG changetype: modify replace: userPassword userPassword: {SSHA}SSHAPASSWORD HERE where the ADMIN ACCOUNT / USER etc have been replaced with the ldap cn=manager etc, but every time I try to confirm that the password has been updated via ldapwhoami -x -W -D "uid=USER,ou=USER,o=ORG" -H ldapi:/// Enter LDAP Password: ldap_bind: Invalid credentials (49) I keep on getting the ldap_bind invalid credentials, I have tested the userPassword attribute via the apache directory studio and verified the userPassword is correct. Any advice, please Why are you using ldapi:// with ldapwhoami and ldap:// with ldapmodify ? Did you check in your ACL that access to userPassword attribute is allowed to authenticate users? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks |https://www.worteks.com
Re: Fwd: [OldapWS] -> Proposal of a REST Web Service for CRUD Operations
Le 19/09/2022 à 18:54, Howard Chu a écrit : Forwarding for exposure - any interest? Hello, I confirm my interest too. We are currently working with FusionDirectory which offers a REST API : https://rest-api.fusiondirectory.org/ The advantage is that FD has triggers which can be used to run a script on entry creation/modification/deletion. But this may be too high-level for an OpenLDAP server. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: need help to make OpenLDAP work as "this other directory, plus"
Le 16/06/2022 à 09:25, jar...@bioteam.net a écrit : Hi all. So, I'm trying to basically put a band-aid over an intentionally broken LDAP implementation. We use Okta as our single source of truth for directory services, and its implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't change this) in order to force you to use their insanely expensive "Advanced Server Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter for the lab project we are trying to get working with LDAP. We're only talking about ~10 machines here and we very much want them to be ultimately authenticating against Okta for their passwords -- because this automatically MFAs them by default, and prevents credential proliferation for the services we run in the lab. So basically what I want to do is set up an LDAP server which passes just about everything through to Okta, but keeps consistent uidNumber and gidNumber values for each user in Okta who logs in. I think this is possible either with the "meta" backend or the "ldap" backend or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/ But that guide does not contain instructions for something like this, and even the OpenLDAP documentation is scarce when it comes to configuring backends. e.g.: https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no indication of how I would introduce the bind DN for the backend LDAP or how it would know what to add, and the "meta" backend has no implementation details at all: https://www.openldap.org/doc/admin26/backends.html#Metadirectory Hello Jarett, another approach would be to create a local OpenLDAP server and synchronize it with Okta LDAP server with LSC: https://lsc-project.org/ You will then be able to easily manage local attributes. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Official way to import schema with cn=config
Le 02/04/2022 à 09:33, David Timber a écrit : I had to write my own schema for my application and I was struggling to figure out how to import the schema I wrote to cn=config. I had though I was missing something until I found this. https://gist.github.com/jaseg/8577024 Notice the name of the script. Someone had to write this because there's no tool that you can use to import schemas when the slapd is configured with cn=config. Note that Fusion Directory project provides an utility for this: https://manpages.debian.org/bullseye/fusiondirectory-schema/fusiondirectory-insert-schema.1.en.html You can get away with it by using include directive with slapd.conf. You can use olcInclude with cn=config. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: log analysis tools
Le sam. 5 févr. 2022 à 20:57, Quanah Gibson-Mount a écrit : > > > --On Friday, February 4, 2022 10:12 PM -0500 Dave Macias > > wrote: > > > > > > > https://www.ltb-project.org/documentation/ldap-stats.html > > Is that the one I used to help maintain? I don't believe it's been updated > for 2.5 and later, unless it was forked and someone else has started > working on it. > Hello Quanah, this is indeed a fork done inside LTB project, there was no git repo for this script (or I did not found it). Of course if there are changes in 2.5 log format, we can update the script. Clément.
Re: Evolution of slapd 2.5 configuration over time ?
Le 26/08/2021 à 18:13, Howard Chu a écrit : What would be the best practice to update the cn=schema,cn=config entry after an upgrade? It seems this schema is only available when we migrate slapd.conf to cn=config. The contents of the cn=schema,cn=config entry on disk are mostly irrelevant. That entry represents all the hardcoded schema in slapd, so it will always be generated in memory with slapd's current schema at runtime. Oh I discover that, thanks a lot! Do you know why it is generated when we convert slapd.conf to cn=config? It does not seem to have any advantage. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Evolution of slapd 2.5 configuration over time ?
Le 26/08/2021 à 17:24, Howard Chu a écrit : It means that, when upgrading OpenLDAP, the previous configuration may not be compatible with the new OpenLDAP version. False. Additions to the schema are always forward-compatible. Where we have renamed objectclasses, we have kept the old name as an alias. So old configs will continue to work. Hello Howard, thanks a lot for this confirmation. What would be the best practice to update the cn=schema,cn=config entry after an upgrade? It seems this schema is only available when we migrate slapd.conf to cn=config. Maybe it could be interesting to provide an upgrage LDIF file that we could use to modify existing configuration? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LTB packages for OpenLDAP 2.4.59 [was: OpenLDAP 2.4.59 available]
Hello, LTB packages for OpenLDAP 2.4.59 are now availble (Debian/Ubuntu/CentOS/RHEL). More information on https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-59-packages-released/ -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
[Open Source Experience] Call for Papers is open
Hello, there will be a big Open Source event in Paris in november. I am part of the program commitee and would like to know if some of you would be interested to submit talks: https://sessionize.com/opensource-experience/ You can reach me directly if you have some questions on the subject. Regards, -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
OpenLDAP LTB packages for 2.4.58 are available
Hello, LTB packages for OpenLDAP 2.4.58 are available: https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-58-packages-released/ Download: https://ltb-project.org/download#openldap Thanks to OpenLDAP team and LTB team! Clément.
Re: Issue on backup on Open LDAP 2.4.38
Le 03/03/2021 à 17:37, pascal.fou...@orange.com a écrit : Hi all Since several weeks , we met an issue on our test and UA Open LDAP main master servers version 2.4.38 hosted on Linux Red Hat 6.4 : slapd: [INFO] Using /etc/default/slapd for configuration slapd: [INFO] Launching OpenLDAP database backup... slapd: [OK] data saved in /var/opt/data/flat/openldap/backups/data-20210303154336.ldif 603fa0ac bdb(cn=changelog): Logging region out of memory; you may need to increase its size 603fa0ac hdb_db_open: database "cn=changelog": db_open(/var/opt/data/db/openldap/changelog/id2entry.bdb) failed: Cannot allocate memory (12). 603fa0ac backend_startup_one (type=hdb, suffix="cn=changelog"): bi_db_open failed! (12) slap_startup failed slapd: [ALERT] OpenLDAP database backup failed Once a week, this servers is completely updated using a backup sent from our production server On the backup master server, backup process runs well. Any idea to fix this issue ? Seems clear you have a memory issue. With BDB/HDB, you can change memory settings in DB_CONFIG file located in the data directory (here /var/opt/data/db/openldap/changelog/). Adapt the settings set_lg_regionmax / set_lg_max / set_lg_bsize And obviously you are running an outdated version on an outdated distro. The best advice is to use the latest OpenLDAP version and switch to MDB. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LTB packages (was: OpenLDAP 2.4.57 available)
Le 18/01/2021 à 21:21, proj...@openldap.org a écrit : > OpenLDAP 2.4.57 is now available for download as detailed on our download > page: LDAP Tool Box packages are available for Debian stretch / Debian buster / CentOS 7 / CentOS 8 See https://ltb-project.org/download#openldap -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LTB OpenLDAP 2.4.56 (was:OpenLDAP 2.4.56 available)
Hello, Debian and RPM packages are now available on LTB repositories.See https://ltb-project.org/download#openldap Clément.
Re: Issues with resetting user password
Le 18/09/2020 à 00:57, Quanah Gibson-Mount a écrit : > > > --On Thursday, September 17, 2020 11:41 PM + "CLARKE, ED C" > wrote: > >> [Image: ""] >> >> Hello, >> >> >> >> I am new to this arena, I have a Open LDAP installed on my Linux server >> RHEL 7.8. >> >> I am not able to reset user passwords, I have checked the systemctl >> status slapd.service And it is active & running. >> >> Below is an example of the resetpw.ldif: > > Are you using the ppolicy module? You've provided no information > about your configuration. > > The correct way to change a user password is to use an LDAPv3 password > modify operation, not an ldapmodify change. See the ldappasswd(1) > command. > Note that we can't modify pwdReset attribute trough ldappasswd, as far as I know. Ed, what is the error returned by your ldapmodify command? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LDAP Tool Box packages (was: OpenLDAP 2.4.53 available)
Le lun. 7 sept. 2020 à 17:37, a écrit : > > OpenLDAP 2.4.53 is now available for download as detailed on our download > page: > > https://www.openldap.org/software/download/ LTB packages for OpenLDAP 2.4.53 are also available: https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-53-packages-released/ Clément.
OpenLDAP LTB packages (was: OpenLDAP 2.4.52 available)
Le ven. 28 août 2020 à 19:46, a écrit : > > OpenLDAP 2.4.52 is now available for download Hello, LDAP Tool Box packages have been published (see announce: https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-52-packages-released/) We dropped support for Debian Wheezy, Debian Jessie and Centos/RHEL 6 as OpenLDAP 2.4.52 is requiring a version of OpenSSL that is not available on these systems. Cheers, Clément.
Re: Enable and Disable a user account in OpenLDAP using various methods, CLI, GUI, etc.
Le 19/08/2020 à 21:55, Quanah Gibson-Mount a écrit : > --On Wednesday, August 19, 2020 8:50 PM + wbran...@mcw.edu wrote: >> things, I just need to know this specific task. >> So if it is possible in OpenLDAP, to disable and enable users can anyone >> point me to a document or a YouTube Video or any information. > > We would need to know how your OpenLDAP instance is configured. For > example, if you are using the password policy overlay along with a > specific password policy that allows for disabling accounts. If > you're not doing that, then you likely have to implement something > that allows this to be done. For example, a custom attribute that > tracks the account status, and then an ACL that blocks access to the > userPassword attribute if an account has been disabled. > > I.e., the information you have provided so far doesn't enable us to > provide you the information necessary. > If you use the ppolicy overlay, you can use LTB Service Desk, a Web GUI. See https://service-desk.readthedocs.io -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]
Le lun. 17 août 2020 à 16:28, Giuseppe De Marco a écrit : > Hi Clément, great job, awesome! > > Is there any possibilities to have in ltb the SQL backend in future > releases? > > Official Deb packages lacks of this, It seems a little bit Buffy so ltb > would be a great opportunità to have a well supported sql backend without > SRC compilations > > Yes, please open a feature request here: https://github.com/ltb-project/openldap-deb/issues Clément.
LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]
Hello, LDAP Tool Box packages for OpenLDAP 2.4.51 are released. They can be downloaded on https://ltb-project.org/download#openldap or installed with yum/apt Thanks again to OpenLDAP team for their great work! Clément.
Re: [Question]: Looking for updated ppolicy in v2.4.50
Le 29/06/2020 à 16:07, Dave Macias a écrit : > Hello, > Hi, > Using openldap v2.4.50 and noticed that there were some updates > <https://github.com/openldap/openldap/commit/4bc54d104a9563d35f3d5fc2e69fe7afea36a9d2> > which > were part of the 2.4.50 release. As far as I know, this is not part of 2.4.50 but planned for 2.5. > > I installed openldap but cannot find those new attributes > (pwdMaxLength, pwdStartTime, etc) > > > grep pwdMaxL /etc/openldap/schema/* > > grep pwdStar /etc/openldap/schema/* > > Maybe I am missing something. > Could someone please point me in the right direction? > You can try to get 2.5 branch and test these new features. For people interested by this topic, I gave this afternoon a quick talk about password policy in OpenLDAP: https://www.slideshare.net/wortekscom/pass-the-salt-2020-understand-password-policy-in-openldap-and-discover-tools-to-manage-it -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: OpenLDAP help - Import issue
Le 04/05/2020 à 11:51, Pranjit Biswas a écrit : > > This is how password was created .. > > > > slappasswd -s test1234 > > {SSHA}wbMAL5Q8I8yDEfyCaau1irgIgBSqUQAb > > > > This SSHA PW has been updated in olcDatabase={2}hdb.ldif. > > olcRootPW: {SSHA}wbMAL > This is your mistake. You must not directly edit the LDIF files. Use ldapmodify or export/import your configuration. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: OpenLDAP, systemd and EL 7.7
Le 02/05/2020 à 23:26, Abdelkader Chelouah a écrit : > > Hello, > > > Since the upgrade to RHEL 7.7, my openldap service with property > |Type=forking| and property |PIDFile| defined doesn't start and its > status shows the following error messages: > > > May 02 20:02:57 systemd[1]: New main PID 445254 does not belong to > service, and PID file is not owned by root. Refusing. > > > Actually, slapd is started with -u ldap -g ldap options, so the owner > of the pid file slapd.pid is ldap. The problem was introduced by > |systemd-219-67| to fix the security issue CVE-2018-16888. See > https://access.redhat.com/solutions/4420581 for more details. > > > Is there a way to overcome this issue ? > > Hello, I just tested with OpenLDAP LTB packages on CentOS 7 (7.8.2003) and 8 (8.1.1911) and there is no issue. Here is the systemd file: [root@kptn-centos7 ~]# cat /usr/lib/systemd/system/slapd.service [Unit] Description=OpenLDAP LTB startup script Documentation=https://ltb-project.org/documentation After=syslog.target network.target [Service] Type=forking PIDFile=/usr/local/openldap/var/run/slapd.pid ExecStart=/usr/local/openldap/sbin/slapd-cli start ExecStop=/usr/local/openldap/sbin/slapd-cli stop [Install] WantedBy=multi-user.target -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: OpenLDAP help - Import issue
Le 02/05/2020 à 18:24, Pranjit Biswas a écrit : > > HI , > > > > We are trying to install openldap.x86_64 - 2.4.44-21.el7_6 on an > Linux RHEL 7.7 on AWS . > > > > We have installed and made changes to the config files and did a > slaptest of the config file as shown below . > > > > [root@efg-ac cn=config]# slaptest -u > > 5ea6064f ldif_read_file: checksum error on > "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif" > > 5ea6064f ldif_read_file: checksum error on > "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" > > config file testing succeeded > > > > Now we are importing the ldif file from our current on-prem server . > > Even though we were getting different errors earlier , after all the > changes we have made to the config , the error that we are getting now > is ldap_bind error for the credentials . > > > > [root@efg-dev cn=config]# ldapadd -w * *-x -D > "cn=Manager,dc=bpost,dc=be" -f ldap_dump-27042020-DEV.ldif > > *ldap_bind: Invalid credentials (49)* > > > > We are not sure which password to give here . > > > > We have given the same credentials in the config file : > olcDatabase={2}hdb.ldif > > olcRootDN: cn=Manager,dc=bpost,dc=be > > olcRootPW: ** > > > Just to be sure, did you give the password in clear text in ldapadd command? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LTB packages for OpenLDAP 2.4.50 (was: OpenLDAP 2.4.50 available)
Hello, LDAP Tool Box packages for OpenLDAP 2.4.50 are available for RedHat/CentOS/Debian/Ubuntu : https://ltb-project.org/download#openldap Thanks to David Coutadeur for the Debian packages. Clément.
Re: 2.4.50 and pw-argon2
Le 29/04/2020 à 11:03, Geert Hendrickx a écrit : > FWIW, the pw-argon2 module does not build on CentOS 6, it needs a newer > libsodium than the one available in EPEL 6 (that one does not implement > argon2 yet). > > CentOS 7 is fine. > I confirm, this will be included in LTB packages for CentOS 7 and CentOS 8. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: rootdn & password policy
Le 13/04/2020 à 19:34, Hannah Chenh a écrit : > Hello, > I have a question related to rootdn and password policy. > I understand that the rootdn can bypass all restrictions. > We have a requirement to bypass a password policy for the admin user. > Is there a way to create the admin user so that this user can have the same > privilege as rootdn and I don't need to bind as rootdn in my application? > Currently I have granted the following to the admin_user: > === > dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess > olcAccess: {0}to attrs=userPassword by self write by > anonymous auth by dn.base="cn=Manager,dc=abcdomain,dc=com" write > by dn.base="uid=admin_user,ou=Service > Accounts,dc=abcdomain,dc=com" write by * none olcAccess: {1}to * > by self write by dn.base="cn=Manager,dc=abcdomain,dc=com" > write by dn.base="uid=admin_user,ou=Service > Accounts,dc=abcdomain,dc=com" write by * read > > === > Any help would be appreciated. I have done some tests today, I did not find a solution. I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: [EXT] Slapd unexpectedly shutdown
Le 07/04/2020 à 23:56, Quanah Gibson-Mount a écrit : > > > --On Wednesday, April 8, 2020 12:35 AM +0200 Kevin Olbrich > wrote: > >> My version is 2.4.49+dfsg-2~bpo10+1 (buster-backports). Should be in >> there I think. >> I've now included ppolicy.schema to solve the issue. Tomorrow I will >> try if the issue is still present. > > Ok. If it still crashes, the best thing to do would be to: > > a) Install the debugging symbols package > > b) Get a full backtrace under GDB from the running process at the time > at which it segfaults. > > c) Open a bug at https://bugs.openldap.org, include your configuration > (minus any passwords) and the full backtrace in the bug report. > Hello, we also have quite similar issue with back-meta, even in 2.4.49, see https://bugs.openldap.org/show_bug.cgi?id=9098 Maybe this issues are linked. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdChangedTime not defined when creating new entry
Le 09/03/2020 à 10:31, Michael Ströder a écrit : > On 3/9/20 10:19 AM, Clément OUDOT wrote: >> Le 06/03/2020 à 17:47, Quanah Gibson-Mount a écrit : >>> --On Friday, March 6, 2020 8:47 AM + Manuela Mandache >>> wrote: >>>> Thanks for your answer. Well, if you don't get the same behavior as I >>>> do, >>>> it does seem I have a configuration issue. But what configuration issue >>>> can that be? Where should I look for it? >>> I might start with seeing if there are noticable differences between >>> the 2.3 and 2.4 ppolicy man pages. And perhaps Clément can share the >>> config he was working with. :) >> Here is the overlay configuration: >> >> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config >> [..] >> olcPPolicyHashCleartext: TRUE > What happens if you set this to FALSE? I don't see what it could change, as I create the user entry with an already encrypted password. So ppolicy overlay will not hash the password. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdChangedTime not defined when creating new entry
Le 06/03/2020 à 17:47, Quanah Gibson-Mount a écrit : > > > --On Friday, March 6, 2020 8:47 AM + Manuela Mandache > wrote: > >> Hello Clément, >> >> Thanks for your answer. Well, if you don't get the same behavior as I >> do, >> it does seem I have a configuration issue. But what configuration issue >> can that be? Where should I look for it? >> >> The present dynamic configuration of the directory running on 2.4.44 was >> obtained through direct conversion of the static configuration of the >> directory running on 2.3.34 - where the pwdChangedTime is set when I add >> a new entry with ldapadd. > > I might start with seeing if there are noticable differences between > the 2.3 and 2.4 ppolicy man pages. And perhaps Clément can share the > config he was working with. :) Here is the overlay configuration: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: FALSE The LDIF of the created entry: dn: uid=testpolicy,ou=users,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top pwdPolicySubentry: cn=default,ou=ppolicies,dc=example,dc=com uid: testpolicy userPassword:: e1NTSEEyNTZ9VyttdTB0eU5LZThnamFDajBaU0J2Tm9MRFJ0anNTbDZqUkk1WTZ MREk2V1lSZlhCZ0YvRndBPT0= sn: test cn: test The related ppolicy : dn: cn=default,ou=ppolicies,dc=example,dc=com objectClass: device objectClass: extensibleObject objectClass: pwdPolicy objectClass: top cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdCheckQuality: 1 pwdExpireWarning: 86400 pwdGraceAuthNLimit: 0 pwdInHistory: 4 pwdLockout: TRUE pwdMaxAge: 31536000 pwdMaxFailure: 3 pwdMinAge: 0 pwdMinLength: 4 pwdMustChange: TRUE pwdSafeModify: FALSE -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdChangedTime not defined when creating new entry
Le 05/03/2020 à 18:55, Dieter Klünter a écrit : > Am Thu, 5 Mar 2020 18:15:41 +0100 > schrieb Clément OUDOT : > >> Le 05/03/2020 à 10:10, Dieter Klünter a écrit : >>> Am Wed, 04 Mar 2020 13:36:08 + >>> schrieb Manuela Mandache : >>> >>>> Hello all, >>>> >>>> We have a directory running on OpenLDAP 2.4.44 with the ppolicy >>>> overlay on the main database. When a new entry with a userPassword >>>> defined is created, pwdChangedTime is not defined, so this initial >>>> userPassword never expires. >>>> >>>> The directory has been migrated from its OpenLDAP 2.3.34 instance >>>> (yes, we missed some steps...), and there the pwdChangedTime is >>>> set, and naturally equal to createTimestamp. >>>> >>>> The overlay is configured as follows: >>>> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config >>>> objectClass: olcOverlayConfig >>>> objectClass: olcPPolicyConfig >>>> olcOverlay: {2}ppolicy >>>> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com >>>> olcPPolicyHashCleartext: TRUE >>>> olcPPolicyUseLockout: TRUE >>>> >>>> Is there a parameter I missed which would switch on setting >>>> pwdChangedTime at entry creation? Do I have to provide some other >>>> configuration elements? >>>> >>>> Or is it unreasonable to expect this initialisation of the >>>> attribute this way, and only a password change can set it? I think >>>> the setting at creation is rather handy... Using pwdMustChange >>>> would be difficult, we have a lot of client apps which would be >>>> forced to check and probably adapt their authentication >>>> procedures. >>> [...] >>> The password attribute value must be set by a password modify >>> exented operation in order to set password policy in effect, see man >>> slapo-ppolicy(5) >> >> Are you sure? The password modify extended operation is required for >> smbk5pwd overlay, but not for ppolicy overlay? > From ldappasswd(1) > ldappasswd > uses the LDAPv3 Password Modify (RFC 3062) extended operation. Agree but the question was related to ppolicy overlay, not ldappasswd command. When you create an entry, you do it with a standard ADD operation. It there is a password in the entry, the ppolicy overlay will do its job and create the pwdChangedTime attribute. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdChangedTime not defined when creating new entry
Le 05/03/2020 à 10:10, Dieter Klünter a écrit : > Am Wed, 04 Mar 2020 13:36:08 + > schrieb Manuela Mandache : > >> Hello all, >> >> We have a directory running on OpenLDAP 2.4.44 with the ppolicy >> overlay on the main database. When a new entry with a userPassword >> defined is created, pwdChangedTime is not defined, so this initial >> userPassword never expires. >> >> The directory has been migrated from its OpenLDAP 2.3.34 instance >> (yes, we missed some steps...), and there the pwdChangedTime is set, >> and naturally equal to createTimestamp. >> >> The overlay is configured as follows: >> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config >> objectClass: olcOverlayConfig >> objectClass: olcPPolicyConfig >> olcOverlay: {2}ppolicy >> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com >> olcPPolicyHashCleartext: TRUE >> olcPPolicyUseLockout: TRUE >> >> Is there a parameter I missed which would switch on setting >> pwdChangedTime at entry creation? Do I have to provide some other >> configuration elements? >> >> Or is it unreasonable to expect this initialisation of the attribute >> this way, and only a password change can set it? I think the setting >> at creation is rather handy... Using pwdMustChange would be >> difficult, we have a lot of client apps which would be forced to >> check and probably adapt their authentication procedures. > [...] > The password attribute value must be set by a password modify exented > operation in order to set password policy in effect, see man > slapo-ppolicy(5) Are you sure? The password modify extended operation is required for smbk5pwd overlay, but not for ppolicy overlay? I just test a creation of an entry with a password when ppolicy overlay is configured, and the pwdChangedTime is well created. You may have a configuration issue. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
LTB Debian and CentOS builds (was: OpenLDAP 2.4.49 available, LMDB 0.9.25 available)
Le jeu. 30 janv. 2020 à 19:27, OpenLDAP project a écrit : > > OpenLDAP 2.4.49 is now available for download as detailed on our download > page: Hello, LDAP Tool Box packages for Debian and CentOS are now available: https://ltb-project.org/download#openldap Clément.
Re: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)
Le 13/01/2020 à 18:12, Quanah Gibson-Mount a écrit : > This is the first testing call for OpenLDAP 2.4.49. Depending on the > results, this may be the only testing call. > > Generally, get the code for RE24: > > <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz> > > > Configure & build. > > Execute the test suite (via make test) after it is built. Optionally, > cd tests && make its to run through the regression suite. Hello, tested on CentOS 7 with LTB build. Test suite works, regression suite could not be run until the end because I did not have enough disk space on my virtual machine, but first tests were all ok. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Is there a way to set a preference on entries with multiple userPassword attributes?
Le 2019-11-20 21:40, Jeremy Diaz a écrit : Hello, Currently I have ldap entries with 2 userPassword attributes. One is a regular SHA password which the other one delegates to sasl. However this results in all entries binding through sasl rather than locally. I need some entries to default to sasl and other entries to default to SHA but still failover to the other password entry. Is this possible through openldap? Hello Jeremy, I have done some tests. I confirm that you can have 2 userPassword values, one SASL and the other regular. When you BIND with a password, it seems all values are tested, and if one match, then the BIND is successful. I don't see how you can select an order in the passwords. But why is it a problem? With this setup, you can use SASL or regular password for an entry, and the failback will work. -- Clément Oudot Worteks - https://www.worteks.com
Re: OpenLDAP 2.5 plans and community engagement
Le 25/07/2019 à 10:43, Ondřej Kuzník a écrit : > On Thu, Jul 25, 2019 at 10:14:36AM +0200, Clément OUDOT wrote: >> Le 24/07/2019 à 20:01, Ondřej Kuzník a écrit : >>> Let us know what the pain points have been with OpenLDAP when you were just >>> starting, right now and if you have a suggestion how to make it easier to >>> start >>> using it. Or if you wanted to contribute, has anything discouraged you? >>> There are things we might not be able to influence easily (LDAP itself can >>> be >>> complex), but a fresh look might help direct efforts in the right direction. >> thanks a lot for this mail. I hope that I can help OpenLDAP project the >> best I can. >> >> I can work on website or documentation, let me know. > Hi Clément, > if you wanted to get started now, website would be the more important of > the two. The main issue is that if someone's landed there for the first > time, they expect to find something completely different (latest > version download link, news, ...?) Don't know what's the best course of > action, so will leave that up to you and others. > > AFAIK the git repo here reflects exactly what is served? > https://www.openldap.org/devel/gitweb.cgi?p=openldap-www.git > > An evolution on the caterpillar might also be considered at some point. > > If you wanted to review documentation, pick a task and we can help from > there :) Great, I'll do it as soon as possible, but will be after my vacations ;) Clément.
Re: OpenLDAP 2.5 plans and community engagement
Le 24/07/2019 à 20:01, Ondřej Kuzník a écrit : > Let us know what the pain points have been with OpenLDAP when you were just > starting, right now and if you have a suggestion how to make it easier to > start > using it. Or if you wanted to contribute, has anything discouraged you? > There are things we might not be able to influence easily (LDAP itself can be > complex), but a fresh look might help direct efforts in the right direction. Hello Ondřej, thanks a lot for this mail. I hope that I can help OpenLDAP project the best I can. I can work on website or documentation, let me know. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Invalid DN reported during authentication
Le 24/06/2019 à 15:57, Chris K a écrit : > Hello experts, > Hello, > 5d10d347 conn=1048 op=1 do_bind: invalid dn > (swadm...@openldapsec.brm.acslab.wokyourdog.net > <mailto:swadm...@openldapsec.brm.acslab.wokyourdog.net>) Your LDAP client is sending the invalid DN, so the issue is not on server side. Check your LDAP client configuration. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: ObjectClass auxiliary - Beginner's question
Le 21/05/2019 à 09:33, Olivier - a écrit : > Hi all, > > > I have to re-write a shcema but i'm beginner with this. > I would like to add some attributes to describe service. > > We use a AUXILIARY class to add some attributes : > > objectclass ( 1.2.250.1.152.14.2.1.2 NAME 'intService' > SUP top AUXILIARY > MAY (...)) > > > We have an object using this objectclass and other : > dn: idService=196018, dmdName=Services, dc=fr > objectClass: intService > objectClass: organizationalUnit > > Now i would like to transform this object in static group so I use > GroupOfnames and I got this error : > > Object class violation (65) > additional info: invalid structural object class chain > (organizationalUnit/groupOfNames) > > > Why can't I use groupOfNames with organizationalUnit ? Or is it > another problem ? This is a schema restriction, you can't mix structural object classes inside an entry (unless they belong to the same chain, like person/organizationalPerson/inetOrgPerson). So you can't have groupOfNames and organizationalUnit. Choose one of them. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Issue with OpenLDAP as a proxy to multiple Windows DCs backends
Le 10/05/2019 à 12:27, David Sanchez Herrero a écrit : > Hello Clement, > > Thank you for your answer. I tried some of these parameters before > with no success. I can't remember exactily which values I probed > because I tested them a few weeks ago, so I checked them again with > this configuration, and I have the same wrong behaviour as without them: > You can maybe try the quarantine : quarantine ,[;,[...]] Turns on quarantine of URIs that returned LDAP_UNAVAILABLE, so that an attempt to reconnect only occurs at given intervals instead of any time a client requests an operation. The pattern is: retry only after at least interval seconds elapsed since last attempt, for exactly num times; then use the next pattern. If num for the last pattern is "+", it retries forever; otherwise, no more retries occur. This directive must appear before any target specification; it affects all targets with the same pattern. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Issue with OpenLDAP as a proxy to multiple Windows DCs backends
Le 09/05/2019 à 12:10, David Sanchez Herrero a écrit : > Hello all, > > I'm having an issue with the configuration of an OpenLDAP working as a > proxy to various Active Directory backends. The OpenLDAP proxy is in > our network > and we have various VPN to connect it to the remote Windows Domain > Controllers (5 remote Domain Controlers of different customers, each > one managing it's own domain). > > To configure the proxy, we use de META database. > > When all the Domain Controllers are up, everything works fine, but > when one of then goes down (network problems, a machine reboot, etc.), > the web app that uses the OpenLDAP proxy > stops autheticating all users of all domains. The system process it's > even hanged and when you try to stop or restart the service, > it takes a long time to respond. I can't find a way to force a short > timeout to ignore the offline DC and let the users of the other > domains to continue working. > > The server OS is CentOS Linux release 7.4.1708 (Core), and the > OpenLDAP version 2.4.44. > > To check if this is an issue of this old version, I have deployed > another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, > so it's probably a configuration problem. > > Below are the slapd.conf file I'm using (with no private data). Any > ideas about what to change in the configuration file? > > Thanks in advance and best regards, David. Hello David, you should try to configure some timeout to cut connections to failing AD. From "man slapd-meta" : bind-timeout This directive defines the timeout, in microseconds, used when polling for response after an asynchronous bind connection. The initial call to ldap_result(3) is performed with a trade-off timeout of 10 us; if that results in a timeout exceeded, subsequent calls use the value provided with bind-timeout. The default value is used also for subsequent calls if bind-timeout is not specified. If set before any target specification, it affects all targets, unless overridden by any per-target directive. idle-timeout This directive causes a cached connection to be dropped an recreated after it has been idle for the specified time. The value can be specified as [d][h][m][[s]] where , , and are respectively treated as days, hours, minutes and seconds. If set before any target specification, it affects all targets, unless overridden by any per-target directive. keepalive :: The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used. network-timeout Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive. You can maybe give a try to "network-timeout" first. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Open LDAP - How to define an additionnal "uid" like attribute equivalent to a RDMS unique key index
Le 30/04/2019 à 21:02, Michael Ströder a écrit : > On 4/30/19 12:20 PM, pascal.fou...@orange.com wrote: >> => extented flags >> >> https://ldapwiki.com/wiki/Extended%20Flags > Most of these attribute type description extensions are not relevant for > OpenLDAP at all. > >> I've tried several configurations such as : >> - define xuid attribute using uid as a parent attribute type >> >> olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY >> caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) > You should *not* use SUP uid unless you're 100% sure about its > implications regarding matching rules also affecting index use and > slapo-unique. > >> - define xuid attribute using uid as a parent attribute type with >> additional extended flags >> >> olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY >> caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE X-NDS_NAME 'uniqueID' >> X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '0' >> X-NDS_NONREMOVABLE '0' ) > Everything starting with X-NDS only applies to Novell eDirectory (or > whatever it's called today) and thus is useless. > > For the rest see (as Quanah suggested): > https://www.openldap.org/software/man.cgi?query=slapo-unique Hello, as said by others, you indeed need to configure the unique overlay. You can also have a look to constraint overlay to add other checks, like regexp or size. https://www.openldap.org/software/man.cgi?query=slapo-constraint -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: reverse search in dymanic group ?
Le 05/04/2019 à 19:18, Martin Pittamitz a écrit : > On 05/04/2019 16:33, Clément OUDOT wrote: >> >> >> Le 05/04/2019 à 10:36, Olivier - a écrit : >>> Hi all, >>> >> >> Hello, >> >> >>> I'm testing static group and dynamic group. >>> >>> * Dynmaic group : is it possible to do reverse search in dynamic >>> group ? I reead something about the "ismemberof" attribute and >>> /ds-virtual-static-group/. But i'm not sure we can do it with >>> openldap >>> >> >> Not with dynlist overlay, but you could try autogroup overlay with >> memberof overlay. The autogroup overlay will build static groups >> trough a memberUrl. >> >> >> >>> * >>> >>> >>> >>> >>> * Static group seems to be fine for me. I have a newbie's question : >>> can we have , for example, the mail attribute of all members of >>> service Y in only one request ? >>> I mean : make a request on service Y to have member's list and , >>> in the same action , have the member's mail. >>> >> >> You could do it by using the "deref" search extended control. >> >> >> >> -- >> Clément Oudot | Identity Solutions Manager >> >> clement.ou...@worteks.com >> >> Worteks | https://www.worteks.com > > Hi, > > > I have implemented a setup like that ("autogroup" and "memberof" > overlay, modified dynlist schema to include "member" attribute). > > > Everything is working, except for the memberOf attribute in > combination with autogroup and a groupOfURLs. > > > E.g. I can list all the members of an autogroup fine if I search for > the group, but if I request the memberOf for a certain uid, only the > non-autogroup groups are returned. > > > According to the bits of documentation I could find, everything should > be setup correctly, but the memberOf is never set for autogroups. > > > From #openldap I got the information that this should be working, > theoretically, ... see this thread, which describes exactly my use > case with the same problems surfacing: > > http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html > > > Any insights on this? > Hello, it seems to work if you set memberOf overlay after autogroup overlay: dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcAutomaticGroups objectClass: olcOverlayConfig olcOverlay: {9}autogroup olcAGattrSet: {0}groupOfURLs memberURL member dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {10}memberof olcMemberOfGroupOC: groupOfURLs olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: reverse search in dymanic group ?
Le 05/04/2019 à 10:36, Olivier - a écrit : > Hi all, > Hello, > I'm testing static group and dynamic group. > > * Dynmaic group : is it possible to do reverse search in dynamic > group ? I reead something about the "ismemberof" attribute and > /ds-virtual-static-group/. But i'm not sure we can do it with openldap > Not with dynlist overlay, but you could try autogroup overlay with memberof overlay. The autogroup overlay will build static groups trough a memberUrl. > * > > > > > * Static group seems to be fine for me. I have a newbie's question : > can we have , for example, the mail attribute of all members of > service Y in only one request ? > I mean : make a request on service Y to have member's list and , > in the same action , have the member's mail. > You could do it by using the "deref" search extended control. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: LDAP authentication with just sAMAccountName
Le 12/03/2019 à 14:34, Florea, Cosmin Petre a écrit : > > Hi, > > In the meantime, i learned from the DirectoryEntry's source file that > an anonymous bind is made first to URL "LDAP://RootDSE", then the > name of the domain is read from property "defaultNamingContext", then > a second bind with sAMAccountName@domain is made. The problem is that > i don't know how do do it with OpenLDAP API. Do you have any examples? > You should read ITS 8973: http://www.openldap.org/its/index.cgi?findid=8973 A change in OpenLDAP 2.4.47 prevents to use the C# DirectoryEntry / DirectorySearcher objects. You need to use System.DirectoryServices.Protocols to request an OpenLDAP directory. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Expected operation of pwdFailureCountInterval
Le 27/02/2019 à 04:05, Tom Jay a écrit : > Hello, > > Can someone explain the expected operation of the > pwdFailureCountInterval attribute please? The documentation seems to > be fairly clear, but if I add it to the password policy, along with > some other attributes, the account remains locked, even after the > pwdFailureCountInterval time. Despite authenticating with a valid > password, the pwdFailureTime entries remain and the account remains > locked. > > These are the attributes in use: > pwdLockout: TRUE > pwdMaxFailure: 5 > pwdFailureCountInterval: 1200 Hello Tom, if you read the documentation, you will see that you need to configure pwdLockoutDuration to set the time during which the account is locked. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: 答复: 答复: Forbidden account password reuse of the last 5 password
Le 15/02/2019 à 04:08, Tian Zhiying a écrit : > > Clément Oudot, > > > > Thank you. > > I have changed the rootdn from root to other user, it’s still not > working. I can modified the user password same with before. > > > First check that your are sending you password in cleartext, so that OpenLDAP can check the syntax and compare it to passwords in history. You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I am not sure it is required to check history. It is needed to check password length and other checks from the optionnal password checker module. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: 答复: Forbidden account password reuse of the last 5 password
Le 14/02/2019 à 12:17, Tian Zhiying a écrit : > > But it seems not working, my password is following: > > First time password: AAbb1122 > > Second time password: CCdd3344 > > *Third time password: AAbb1122, same with the first time password, it > has been modified successfully.* > Check that the password modification is not done by the rootdn, as the rootdn is bypassing password policy constraints. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: OpenLDAP 2.4.47 available, LMDB 0.9.23 available
Hello, for information, LDAP Tool Box packages for OpenLDAP 2.4.47 are available: * https://ltb-project.org/documentation/openldap-rpm * https://ltb-project.org/documentation/openldap-deb Thanks a lot to OpenLDAP community for this great software! Clément.
Re: Password policy messages - how can I pass back
Le 10/10/2018 à 20:16, Ervin Hegedüs a écrit : > Hi there, Hello, > > > > I mean: > > # /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D > "UID="dminuser,dc=hu" -s "abcdefghijkl" "uid=airween,ou=Users,dc=hu" > Result: Constraint violation (19) > > There isn't any detailed information, what's the reason why the > policy module drops the request, but I can see that in the logfile: > > Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module > error: (pwdCheckModule-poc.so) Passwords less than 16 characters require at > least 3 traits (upper case, lower case, digits, or special characters).[1] > Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3 > Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched="" > text="Passwords less than 16 characters require at least 3 traits (upper > case, lower case, digits, or special characters)" With LDAP clients like ldappasswd, you need to send the ppolicy client control with "-e ppolcy" > Note, that in PHP side I'm using: > > ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err); > > and $_err variable is empty. This should be possible in PHP 7.3, see https://bugs.php.net/bug.php?id=69437 -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Using ppolicy and autogroup to apply policy to a group a users
Hello, we often have the question on this list: how apply a policy to a branch or a group of users? I was thinking we could use autogroup we this kind of configuration: dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcAutomaticGroups objectClass: olcOverlayConfig olcOverlay: {9}autogroup olcAGattrSet: pwdPolicy memberUrl seeAlso olcAGmemberOfAd: pwdPolicySubentry The goal is to have a memberUrl inside a pwdPolicy object, that can target accounts that need to have this policy. For example: dn: cn=default,ou=ppolicies,dc=example,dc=com changetype: modify replace: memberURL memberURL: ldap:///ou=users,dc=example,dc=com??one?(uid=user*) The autogroup "olcAGattrSet" is working well, I can see the seeAlso values. But the "olcAGmemberOfAd" does not seem to be applied. I don't know if this is a conflict with ppolicy overlay, or other overlays (dynlist, memberof). I join a full debug log, maybe you can find what is going wrong. We see that "autogroup_member_search_modify_cb" function is called, but user entry is not modified. Do you think this configuration could work? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com 5bbb13cb daemon: activity on 1 descriptor 5bbb13cb daemon: activity on: 5bbb13cb slap_listener_activate(7): 5bbb13cb daemon: epoll: listen=7 busy 5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL 5bbb13cb >>> slap_listener(ldap://127.0.0.1:389) 5bbb13cb daemon: listen=7, new connection on 14 5bbb13cb daemon: activity on 1 descriptor 5bbb13cb daemon: activity on: 5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL 5bbb13cb daemon: added 14r (active) listener=(nil) 5bbb13cb conn=1001 fd=14 ACCEPT from IP=127.0.0.1:36418 (IP=127.0.0.1:389) 5bbb13cb daemon: activity on 2 descriptors 5bbb13cb daemon: activity on: 14r 5bbb13cb daemon: read active on 14 5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL 5bbb13cb connection_get(14) 5bbb13cb connection_get(14): got connid=1001 5bbb13cb connection_read(14): checking for input on id=1001 5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL ber_get_next ldap_read: want=8, got=8 : 30 2c 02 01 01 60 27 020,...`'. ldap_read: want=38, got=38 : 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c 64 63 3d cn=admin,dc= 0010: 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 80 06 example,dc=com.. 0020: 73 65 63 72 65 74 secret ber_get_next: tag 0x30 len 44 contents: ber_dump: buf=0x7f293010a580 ptr=0x7f293010a580 end=0x7f293010a5ac len=44 : 02 01 01 60 27 02 01 03 04 1a 63 6e 3d 61 64 6d ...`'.cn=adm 0010: 69 6e 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 in,dc=example,dc 0020: 3d 63 6f 6d 80 06 73 65 63 72 65 74 =com..secret 5bbb13cb op tag 0x60, time 1538986955 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable 5bbb13cb conn=1001 op=0 do_bind 5bbb13cb daemon: activity on 1 descriptor 5bbb13cb daemon: activity on: ber_scanf fmt ({imt) ber: ber_dump: buf=0x7f293010a580 ptr=0x7f293010a583 end=0x7f293010a5ac len=41 : 60 27 02 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c `'.cn=admin, 0010: 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co 0020: 6d 80 06 73 65 63 72 65 74m..secret ber_scanf fmt (m}) ber: ber_dump: buf=0x7f293010a580 ptr=0x7f293010a5a4 end=0x7f293010a5ac len=8 5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL 5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL : 00 06 73 65 63 72 65 74..secret 5bbb13cb >>> dnPrettyNormal: => ldap_bv2dn(cn=admin,dc=example,dc=com,0) <= ldap_bv2dn(cn=admin,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 5bbb13cb <<< dnPrettyNormal: , 5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128 5bbb13cb do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128 5bbb13cb ==> mdb_bind: dn: cn=admin,dc=example,dc=com 5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 5bbb13cb do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com" 5bbb13cb send_ldap_result: conn=1001 op=0 p=3 5bbb13cb send_ldap_result: err=0 matched="" text="" 5bbb13cb => mdb_entry_get: ndn: "cn=admin,dc=
Re: Trigger-like function
Le 23/09/2018 à 21:22, Ervin Hegedüs a écrit : > Hi, > > On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote: >> Ervin Hegedüs wrote: >>> Hi, >>> >>> as I described in my previous thread[1], I have a web frontend >>> tool, where user can modify its own password - here the password >>> is a set of passwd attributes: userPassword, sambaNTPassword, >>> sambaLMPassword. >>> >>> Is there any way that when I give access to users to modify its >>> own password, and the user wants to modify it through LDAP(S), >>> instead of out web frontend, the samba passwords also updated >>> (with correct hash algorithm)? >> Use the smbk5pwd overlay. > > I've tried it: > > dn: cn=module,cn=config > cn: module > objectClass: olcModuleList > olcModulePath: /usr/lib/ldap/ > olcModuleLoad: smbk5pwd > > > dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config > changetype: add > objectClass: olcSmbK5PwdConfig > objectClass: olcOverlayConfig > objectClass: olcConfig > objectClass: top > olcOverlay: smbk5pwd > olcSmbK5PwdEnable: samba > > but when I changed the userPassword, the sambaNTPassword and > sambaLMPassword attributes doesn't changed. > > What did I missed? smbk5pwd overlay only works if password change has been made with extended password modify operation (this operation is done with ldappasswd, not with ldapmodify). -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Insufficient acces in some cases
Le 18/09/2018 à 23:10, Ervin Hegedüs a écrit : > Hi, > > On Tue, Sep 18, 2018 at 10:34:55PM +0200, Clément OUDOT wrote: >> >> Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit : >>> But then I don't understand, why comes this error only few users >>> (total number of users is about 200 now, we know about 2-3 >>> affected user). >>> >>> Anyway, I thought it also what you wrote, and switched back to >>> native LDAP (instead of LDAPS), and make a capture at LDAP side. >>> >>> There aren't any garbage in packets, all request contains >>> absolutely normal lines... If you interesting about it, I can >>> send you a cap file - but that contains sensitive datas, of >>> course. >>> >>> I just can share some screenshots about the traffic, hope it >>> seems that no other garbage: >>> >>> https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa >> >> It would be be interesting to see how your OpenLDAP ACL are configured. > the ACL system a little bit complicated (I guess), but I think it > works as well: > > olcAccess: {0}to attrs=userPassword,shadowLastChange > by self write > by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write > by anonymous auth > by * none > olcAccess: {1}to dn.subtree="ou=OU1,dc=service1,dc=bigcompany,dc=hu" > by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" > read > by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write > by * none > olcAccess: {2}to > dn.regex="ou=(comp1|comp2|comp3),dc=service1,dc=bigcompany,dc=hu" > by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" > read > by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write > by * none > olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu" > by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read > by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" > read > by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write > by * none > olcAccess: {4}to * > by self write > by anonymous auth > by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write > by * none > > >> Are you sure that a user can modify userPassword and sambaNT/LM password >> attributes? > yes, I'm sure. > > The NT/LM password attribures aren't named any place, the > userPassword is, but all user can modify its own - see ACL's above. No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the rule {4} is never evaluated. > And as I wrote in first mail, the simple "ldapmodify" works as > well. Do you test to modify only userPassword attribute? Or your modification is also on Samba attributes? > And more important, the other users under the same OU can change > their own userpassword/nt/lm password attributes through PHP. I don't how, because your ACL allow only userPassword modification for 'self'. > The service user (_srvuser1) also can modify (through PHP), but I'ld > like to use as the logged user modify its own passwd. > I think you should merge your ACL like this: olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu" by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by self write by * none -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Insufficient acces in some cases
Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit : > > But then I don't understand, why comes this error only few users > (total number of users is about 200 now, we know about 2-3 > affected user). > > Anyway, I thought it also what you wrote, and switched back to > native LDAP (instead of LDAPS), and make a capture at LDAP side. > > There aren't any garbage in packets, all request contains > absolutely normal lines... If you interesting about it, I can > send you a cap file - but that contains sensitive datas, of > course. > > I just can share some screenshots about the traffic, hope it > seems that no other garbage: > > https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa It would be be interesting to see how your OpenLDAP ACL are configured. Are you sure that a user can modify userPassword and sambaNT/LM password attributes? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Insufficient acces in some cases
Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit : > Hi, there is an interesting insufficient access problem... > > There are 3 (in dev environment 2) multimaster ldap node. > > There is a simple web frontend, written in PHP, where user can > change its own password, or can get a link to set up a new pass > if old one had lost. > > In some cases (some users) the user can't change the own password > through PHP. When I change it from webserver with ldapmodify and > a simple ldif file, it works as well. > > But when I try to modify the passwd through PHP, I got > "Insufficient access" error, and these lines are in syslog: > > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to > "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" > "objectClass" requested > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] > ou=djp,dc=wificloud,dc=company,dc=hu > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] > ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1 > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60 > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1 > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: > > (I replaced names and chars, so the match[dn0] numbers are not > correct). > > > Only few users can trigger this problem (don't know why), and > only through PHP. > > > What's the problem here? Hello, I would say that the PHP application is sending some garbage to the directory. What application are you using for password change, is it LTB Self Service Password ? -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Call fo Papers - Paris Open Source Summit
Hello, There is an important event about free software and open source in Paris in december, with topics about identity management. The CFP is here: http://cfp.opensourcesummit.paris/ It should close friday but I think the deadline will be reported. Feel free to propose technical talks or customer success stories (for example migration from proprietary softwares to free softwares). Hope to see you soon, Clément.
Re: replicating memberOf attribute
Le 26/06/2018 à 12:13, Chris a écrit : > Hi, > > We are using a provider and three consumers that are not syncing the > memberOf attributes of inetOrgPerson entries. > > memberof and refint modules are loaded on the provider and > inetOrgPersons' memberOf attributes are correctly updated on the provider. > > How can I troubleshoot this? Reading slapo-memberof manpage: The memberof overlay may be used with any backend that provides full read-write functionality, but it is mainly intended for use with local storage back‐ ends. The maintenance operations it performs are internal to the server on which the overlay is configured and are never replicated. Replica servers should be configured with their own instances of the memberOf overlay if it is desired to maintain these memberOf attributes on the replicas. Note that slapo- memberOf is not compatible with syncrepl based replication, and should not be used in a replicated environment. An alternative is to use slapo-dynlist to emulate slapo-memberOf behavior. But I already used this overlay with syncrepl and it seems to work. You indeed need to configure the overlay on the consumers too. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Meta backend and attributes mapping
Le 20/06/2018 à 15:14, ROY Grégory a écrit : > Hello, > > I try somehow to do what I explain below. But without success... > I think I'm doing badly for the attribute mapping, maybe it would be better > with the rwm overlay? > > Could someone put me on the right track? Hello Grégory, I don't think this is possible with meta backend and rwm overlay. You can give a try to translucent overlay but the man page says it is designed to work with a local database and a remote database, not several remote database. For your needs, my approach would have been to create a new LDAP directory that is synchronized with your remote data. You can use for example LSC (https://lsc-project.org/) to do this. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: performance problem
Le 07/06/2018 à 20:18, Mark Tilmes a écrit : > > LDAP list, > Hello Mark, > > I have been trying to figure out this problem for a few weeks, I have > been reading the archives and searching google to no avail. > > > > We have a high load at the beginning of every minute due to automated > processes authenticating. During this time, authentications take from > about 5 seconds to as much as 12 seconds. I can even run an ldapwho > command directly on the ldap server and see the slowness. > > Looking at netstat, there are as many as 500 connections coming in to > each server around that time. The load has been processed within 20 > seconds. > > > > Here is some info on what I am running: > > RHEL 6.9 os > > Openldap 2.4.40 from the RHEL rpm > I think the first thing to answer is: you are running an old version, please upgrade. You can stay on RHEL 6.9 if you need to, but you should use a recent version of OpenLDAP, for example with LTB packages: https://ltb-project.org/documentation/openldap-rpm > > > These systems have 16 cpu’s but they are ~90% idle. The ldap database > is on mdb, it is 52M. There are 3657 entries. > > The systems have 32G of memory each, after buffers and cache, 12G is > free. I think just about everything this system does for disk is > cached in memory. > > The only other thing running on these servers is dns and ntp, but when > we turn those off, we still see the slowness. > > See below for my openldap configuration. > > > I am trying to figure out if this is an unreasonable load for these > servers and I just need more servers, or if there is some tuning I can > do to help with this? > > > > When I look at cn=threads,cn=monitor I see active threads go up to 16 > and pending threads go up to 127 or so. > > I increased threads but saw a similar result, all threads are active, > many are still pending. > > When increasing threads to 128, I ended up with this error message: > > mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit > reached(-30790) > > I'm not sure what I can do about that. > > I'm also not sure if I also need to increase listener threads? Seems > like not since the threads are all active during the traffic burst. > > > We have 4 ldap servers, one handles writes and then syncs to the other > 3, so there are no writes on the other 3, and very few writes on the > master, just when we add users or change group memberships which is > infrequent, just a few times a month. > > > > Any advice is appreciated. > > > You are using mdb backend but it is not loaded in cn=modules. Did you recompile slapd to have mdb in slapd binary? MDB backend is very performant by default, but you can tune it with some options like maxreaders or envflags. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: pwdRESET not working
Le 21/05/2018 à 17:10, Net Warrior a écrit : Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following: ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this? Seems you are mixing OpenLDAP ppolicy and shadow policy. Anyway, if the OpenLDAP ppolicy has expired the password, you should not be able to log in, unless you set some cache or failback on local account. You should test with ldapsearch or ldapwhoami command to understand the behavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fit your needs. -- Clément Oudot | Identity Solutions Manager Worteks | https://www.worteks.com
Re: pwdRESET not working
Le 03/05/2018 à 16:23, Net Warrior a écrit : > Hello there guys, when setting the pwsReset to TRUE I cannot login to > the system anymore, just get the permission denied, then I found this. > > https://github.com/pwm-project/pwm/issues/155 > > Did I face that bug or maybe it's something else? It's not a bug. If pwdReset is set to TRUE, the BIND will be successful but you will not be allowed to do another operation but changing password. If your application is doing a SEARCH just after the BIND, you will be denied. -- Clément Oudot | Identity Solutions Manager Worteks | https://www.worteks.com
LDAP Tool Box RPM and Debian packages for OpenLDAP 2.4.46
Hi, LDAP Tool Box project just released packages for OpenLDAP 2.4.46, that can be downloaded here: https://ltb-project.org/download#openldap You can also use our yum and apt repositories to install them. Changes on packaging can be found here: * https://github.com/ltb-project/openldap-rpm/releases/tag/v2.4.46 * https://github.com/ltb-project/openldap-deb/releases/tag/v2.4.46 Thanks to Michael Ströder for the help and David Coutadeur for Debian packages and improvements on ppm module and init script. Clément.
Re: Using virtual IP and N-way mutlimaster mode
2018-01-15 10:05 GMT+01:00 Michael Ströder <mich...@stroeder.com>: > Jephte Clain wrote: >> 2018-01-15 10:38 GMT+04:00 Clément OUDOT <clem.ou...@gmail.com>: >>> I would like to use the N-way mutlimaster mode and a virtual IP to >>> manage failover for applications. The virtual IP will be configured >>> trough keepalived. >> >> I have exactly this configuration and I didn't have to do anything >> particular >> >> ldap is started on each node with "slapd -h ldap://; and it works > > As Clément wrote he has multiple values configured for olcServerID in > cn=config (aka serverID in slapd.conf). So he can't just use > "slapd -h ldap://; because the parameter value -h is used by slapd to > determine the actual server ID to be used. > > Well, that's one of the reasons why I avoid to set multiple serverID > values. And of course that means that you cannot use a replicated cn=config. Does that mean that we can set MMR replication for data (not cn=config) with only one value in olcServerID? In this case we don't have the constraint to start the daemon on a dedicated LDAP URI? Would we still be able to define all olcSyncrepl statements in the database or do we need to set only those not concerning the current node? Clément.
Using virtual IP and N-way mutlimaster mode
Hello, I would like to use the N-way mutlimaster mode and a virtual IP to manage failover for applications. The virtual IP will be configured trough keepalived. To work with N-way mutlimaster, we must start OpenLDAP process on the LDAP URI defined in cn=config olcServerID parameter. So we can't use ldap://* to start the service. On the machine running the virtual IP, I can of course listen on this IP by adding an LDAP URI in the start command: slapd -h ldap://master1.example.com ldap://virtual.example.com But this command will not work it the virtual IP is not set on the node as OpenLDAP refuses to start on an unknown IP. Does anyone already face this issue and found a solution? Clément.
Re: Openldap Password Reset Portal
2017-12-15 11:32 GMT+01:00 John Lewis: > I was looking for something like this. Can it do email-based self- > registration? No, it just handles password modification (and SSH key modification). The SSO software LemonLDAP::NG has a this feature, but it is a big installatio to do if you only need this simple feature: https://lemonldap-ng.org/documentation/latest/register Clément.
Re: Openldap Password Reset Portal
2017-12-14 18:56 GMT+01:00 Douglas Duckworth: > 2) Has anyone found other solutions besides PWM that do the same thing? Hello, I am the developer of LTB Self Service Password: * https://ltb-project.org/documentation/self-service-password * https://github.com/ltb-project/self-service-password You can give it a try. Clément.
Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server
2017-11-20 11:59 GMT+01:00 Turbo Fredriksson: > You’ve never had the issue I’m having? Or heard about it? No but I don't use Kerberos authentication.
Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server
2017-11-19 18:09 GMT+01:00 Turbo Fredriksson: > Have anyone tried running OpenLDAP behind HAProxy? Anything special > one needs to do? I do this often, without any particular issue. If you use LDAPS, you can add option ssl-hello-chk. Here is a sample configuration file: global log 127.0.0.1 local5 notice chroot /var/lib/haproxy user haproxy group haproxy daemon quiet defaults log global option dontlognull option ldap-check retries 3 modetcp balance roundrobin option redispatch listen openldap :389 server ldap1 IP_LDAP1:390 check server ldap2 IP_LDAP2:390 check server ldap3 IP_LDAP3:390 check defaults log global option dontlognull retries 3 modetcp balance roundrobin option redispatch option ssl-hello-chk listen openldap-ssl :636 server ldap1 IP_LDAP1:637 check server ldap2 IP_LDAP2:637 check server ldap3 IP_LDAP3:637 check Clément.
Re: Admin roles by group membership per OU
Le 12/10/2017 à 17:32, Ervin Hegedüs a écrit : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read What is the DN of your replication user? Here you have one in dc=core,dc=hdt,dc=hu and the other in dc=mycompany,dc=hu. Just set read right to the appropriate user -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Re: Admin roles by group membership per OU
Le 12/10/2017 à 16:39, Ervin Hegedüs a écrit : Hi Clément, thanks for your help, On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote: Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth The rule {2} catches all requests (to * by *) so rule {3} is never applied. You can do : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read whit these rules, I could't read with anonymous nor authenticated user from the DB, only the self record. So, I've modified your idea like this: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth olcAccess: {3}to * by * read Whith this rules, I can modify the user attributes, except the userPassword. But after the modificítion (on master node), de slave can't replicates the new entries... Without rule {2}, the slave works as well with repuser dn. What did I made badly? Just add by dn="uid=repuser,dc=mycompany,dc=hu" read in rule {2} Clément.
Re: Admin roles by group membership per OU
Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth The rule {2} catches all requests (to * by *) so rule {3} is never applied. You can do : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Re: Email based self registration
Le 01/10/2017 à 04:17, John Lewis a écrit : Is there an application that supports both email based self registration and OpenLDAP storage of the account data? Hello, maybe not the solution you are looking for, but LemonLDAP::NG, a WebSSO product, has a self-register feature that uses email and store data in the LDAP directory, see https://lemonldap-ng.org/documentation/latest/register -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Re: Using overlay rwm to rewrite search base depending on search filter
Le 13/09/2017 à 16:29, Clément OUDOT a écrit : Hello, I am playing with overlay rwm to try to change the base DN of a search depending on a value in search filter. The goal is to rewrite base "dc=example,dc=com" to "dc=test,dc=example,dc=com" if I have (uid=login@test) in the LDAP filter. Has someone already done this? My configuration for the moment is the following, but I don't understant how to capture a value in searchFilter context to use it in searchDN context: dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine on olcRwmRewrite: rwm-rewriteContext searchFilter olcRwmRewrite: rwm-rewriteRule "uid=(.*@)(.*)" "uid=$0$1" ":" olcRwmRewrite: rwm-rewriteContext searchDN olcRwmRewrite: rwm-rewriteRule "dc=example,dc=com" "dc=${searchFilter($1)},dc=example,dc=com" ":" Hello all, I just wanted to know if my use case is something that can be achieved with rwm overlay or if I need to find another solution. Thanks, Clément.
Re: Getting ldappasswd and PAM in the same page under CentOS 7
Le 19/09/2017 à 18:45, Robert Heller a écrit : I am having a hard time setting a user password using ldap (OpenLDAP 2.4.40-13.el7) on a CentOS 7 system. I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client), nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have created a user in the ldap database, and getent works just fine -- the uid and gid are seen, etc. But I cannot set the user's password in a way that works for su (and presumably login/slogin, etc.). I am using ldappasswd to set the user's password. I am thinking that PAM and ldappasswd are using *different* oneway encryption methods and I am guessing I need to update a configuration somewhere (either for pam, sssd, or nslcd), but I am not finding it. PAM is an LDAP client so does not read the password, it just sends BIND requests and OpenLDAP server then check the passsword by using the hashing method corresponding to the current password value. Can you check in your server ACLs (olcAccess parameter) that anonymous users have the 'auth' right on userPassword attribute? -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Using overlay rwm to rewrite search base depending on search filter
Hello, I am playing with overlay rwm to try to change the base DN of a search depending on a value in search filter. The goal is to rewrite base "dc=example,dc=com" to "dc=test,dc=example,dc=com" if I have (uid=login@test) in the LDAP filter. Has someone already done this? My configuration for the moment is the following, but I don't understant how to capture a value in searchFilter context to use it in searchDN context: dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine on olcRwmRewrite: rwm-rewriteContext searchFilter olcRwmRewrite: rwm-rewriteRule "uid=(.*@)(.*)" "uid=$0$1" ":" olcRwmRewrite: rwm-rewriteContext searchDN olcRwmRewrite: rwm-rewriteRule "dc=example,dc=com" "dc=${searchFilter($1)},dc=example,dc=com" ":" Thanks for your help! Clément.
Re: OpenLDAP as Proxy
Le 21/08/2017 à 16:51, Palacios, Christian a écrit : Hi there, We need to find out if OpenLDAP will allow us to use it as a proxy so it can retrieve users from three different Windows Active Directory Domains? These three domains do not have any similar users. The user retrieval process needs to work like this: -The application that needs this LDAP connection will point to the OpenLDAP server using an LDAP address such as ldap://server.example.com:389/OU=users…etc -This application will also need to retrieve the sAMAccountName from each user retrieved via the OpenLDAP server -The application’s LDAP connection settings also need to specify an Administrator’s DN and password, but I’m confused about this because I don’t know what Administrator account to use. Like I said, each domain has their own set of users so they don’t have any Administrator accounts in common. How would this work? If you need any more information, please let me know!! Hello Christian, I am implementing such service for a customer right now. You need to use OpenLDAP back-meta and define a uri parameter for each AD. In this uri parameter, you will be able to set which account is used to request AD. Here is a very simple configuration sample: databasemeta suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw secret uri ldap://ad1.example.com/dc=ad1,dc=example,dc=com suffixmassage dc=ad1,dc=example,dc=com dc=acme,dc=com idassert-bind bindmethod="simple" binddn="cn=demo,cn=Users,dc=acme,dc=com" credentials="secret" mode="self" flags="non-prescriptive" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute * * You can also find some hints on back-meta configuration on this page: https://ltb-project.org/documentation/general/sasl_delegation or with OpenLDAP manpage : man slapd-meta Another solution is to create a central LDAP Directory by synchronizing data from all AD into it. The LSC project can help you to do that: https://lsc-project.org/documentation/start Hope it helps, -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Re: How to enable memberOf overlay with posixGroup?
Le 08/09/2016 à 09:45, Clément OUDOT a écrit : Le 08/09/2016 à 04:52, Ryan Tandy a écrit : On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote: I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. This is the key issue. A draft schema known as "rfc2307bis" exists, which replaces (!) the published RFC2037 schema with one compatible with groupOfNames. A published solution to this problem does not currently exist. In the past year there have been some discussions on the ldapext list. You can find the archives of that list at: https://www.ietf.org/mailman/listinfo/ldapext Hi, as a workaround, I often create a small connector that synchronises posixGroup objects into groupOfNames. It's really easy to do with LSC (http://www.lsc-project.org). With this, you only manage POSIX groups, and standard groups are updated automatically. You can then use the memberOf overlay on groupOfNames. In case this solution interest someone, I wrote a small tutorial to configure LSC for it: https://lsc-project.org/documentation/tutorial/synchronizeposixgroupstogroupofnames -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
OpenLDAP 2.4.45 LTB packages available
Hello, the LDAP Tool Box team has published RPM and Debian packages for OpenLDAP 2.4.45. You can download them directly or use APT/YUM repositories: https://ltb-project.org/download Documentation: * https://ltb-project.org/documentation/openldap-deb * https://ltb-project.org/documentation/openldap-rpm GitHub projects: * https://github.com/ltb-project/openldap-deb * https://github.com/ltb-project/openldap-rpm Clément.
Re: Re: OpenLDAP / Active directory cohabitation
2017-05-30 8:10 GMT+02:00 Ulrich Windl: > I have one question: Why is hte AD admin accound needed to authenticate? I see > a problem with the AD admin password being stored in cleartext in the > saslauthd > configuration... You don't need AD admin password, you just need a standard AD account that can read user entries (no write access required). Clément.
Re: OpenLDAP / Active directory cohabitation
2017-05-29 19:00 GMT+02:00 Dan White: > On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote: >> >> I am in a environment where we use both OpenLDAP and Active Directory. >> All Linux servers authenticate against OpenLDAP where we have user group, >> unix group (...) > > >> This means that if perform a BIND and a search, the BIND should be >> performed against the AD but the search result should from OpenLDAP. >> (anonymous search is fine) > > >> The short username are used in in OpenLDAP like this: >> >> uid=john01,ou=People,dc=example,dc=com >> >> While the AD uses the long username. From my test when binding to AD, only >> the "DN" is simply set to the username. >> >> john.sm...@example.com > > > Pass-through authentication should work if you're performing simple binds. > Chapter 14 of the admin guide has a good example. You can also find a tutorial here: https://ltb-project.org/documentation/general/sasl_delegation Clément.
Re: Can I do this with openldap ?
2017-05-26 11:18 GMT+02:00 Dieter Klünter: > Am Tue, 23 May 2017 17:16:22 + > schrieb Roelof Wobben : > >> Hello, >> >> >> My boss wants to run everything from a server. >> >> But he wants also that I can take care of that some of the software >> is only used by some people. So the cad software is only used by the >> drawers and not by the financial people. >> >> >> Can I do this with openldap or if it cannot be done , which software >> can I then use the best. > > In fact that depends on the software in question. If the software, > or some controlling tool, is able to require authentication and > authorization via ldap, you may go ahead. Indeed. A lot of applications are able to use LDAP directory for authentication, but less are able to use it for authorization. Authorization often rely on groups present in the LDAP directory. If you have an application that is able to use an LDAP filter for authentication, then you can use the memberOf overlay in OpenLDAP and use the memberOf value in LDAP filter to restrict access to this group. Now, if you have some time to investigate, you should take a look to WebSSO and Access Management softwares. A lot are Free Softwares and works great with OpenLDAP. Personally I am a developer of LemonLDAP::NG, so I could do nothing else than recommend this software. But there are a lot more, like Gluu, WSO2, CAS, Shibboleth, simpleSAMLphp... You need to try them to find the one that fits your needs. Clément.
Re: Unable to load the lastbind module with 2.4.44 (custom build)
2017-04-12 13:37 GMT+02:00 mailing lists: > Hello all, > > What I'm trying to do is enable the lastbind module in a centos7 server, so I > applied this patch to the rpmbuild process: > > > > # cat /root/rpmbuild/SOURCES/openldap-lastbind-overlay.patch > --- a/servers/slapd/overlays/Makefile.in2017-04-12 12:14:46.617978071 > +0100 > +++ b/servers/slapd/overlays/Makefile.in2017-04-12 12:21:12.569292484 > +0100 > @@ -36,6 +36,7 @@ > valsort.c \ > smbk5pwd.c \ > allop.c \ > +lastbind.c \ > sha2.c slapd-sha2.c > OBJS = statover.o \ > @SLAPD_STATIC_OVERLAYS@ \ > @@ -56,7 +57,7 @@ > UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) > > LIBRARY = ../liboverlays.a > -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la > +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la > lastbind.la > > XINCPATH = -I.. -I$(srcdir)/.. > XDEFS = $(MODULES_CPPFLAGS) > @@ -140,6 +141,12 @@ > allop.la : allop.lo > $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell > pkg-config openssl --libs) > > +lastbind.lo : lastbind.c > + $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell > pkg-config openssl --cflags) $< > + > +lastbind.la : lastbind.lo > + $(LTLINK_MOD) -module -o $@ lastbind.lo version.lo $(LINK_LIBS) > $(shell pkg-config openssl --libs) > + > sha2.lo : sha2.c > $(LTCOMPILE_MOD) $< > > > any idea about where I make the mistake? > Hi, I think you don't need -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL for lastbind, but that would not explain you issue. Note that we build lastbind overlay in LTB OpenLDAP RPMs with: cd lastbind make clean make %{?_smp_mflags} "prefix=%{ldapserverdir}" "LDAP_LIB=" cd .. and cd lastbind make install "prefix=%{buildroot}%{ldapserverdir}" cd .. You can find our SPEC file here: https://github.com/ltb-project/openldap-rpm/blob/master/SPECS/openldap-ltb.spec Clément.
Re: "Dynamic" authentication passthrough?
Le 30/03/2017 à 15:27, Curtiss Howard a écrit : Hi, I've got two Active Directory servers that are being proxied through OpenLDAP and their respective trees are being merged into one. So far, so good. Now I want to allow users to bind to the OpenLDAP server and pass the authentication through to the appropriate AD and let it do the password checking. I see a lot of documentation on using SASL for passthrough, but where I'm stuck is that this requires every user to have an account in the OpenLDAP server in order to see if the userPassword attribute is specially formatted. In my case, this isn't really a palatable solution because I'm using the OpenLDAP server with the meta backend and using it as a "live view" into the data contained in the ADs. Other applications can talk directly to the ADs and in order to do the SASL approach there'd have to be some syncing from the ADs to the OpenLDAP server every time a user is created/deleted. I would think that surely there must be some way to pass through the authentication in a more obvious manner -- i.e., if the user doesn't exist locally, try to bind against each proxied server in succession. But I can't seem to find a way to do this, all references point to the SASL approach. Is there a way to do this? Hi, as far as I know, you need to have a local entry with a SASL password to do authentifcation passtrough. I wrote a documentation on that subject: https://ltb-project.org/documentation/general/sasl_delegation To synchronize AD entries to OpenLDAP, you can use LSC, see https://lsc-project.org/ -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
Re: Dynamic groups/lists
2017-02-21 15:09 GMT+01:00 Saša-Stjepan Bakša: > Hi, > > I have access to LDAP server which doesn't have any groups defined. All > users have only attributes which are used to distinguish to which type of > users they belong and for application which I have intention to use groups > are necessary. > > I don't have authority to change that but I can create my own LDAP proxy > server and direct my application to it. > > Question is, can I create dynamic groups which will reside only on that > proxy server. I am already familiar with translucent and ordinary proxy > servers. > I don't have a direct answer for your question, but an alternate solution that is to sync data in a local OpenLDAP with LSC : https://lsc-project.org/ Clément.
Re: PID File
2016-12-20 23:40 GMT+01:00 Quanah Gibson-Mount: > Actually to start with, try using the correct db_recover binary while in the > data directory. If that fails, then remove the alock file and see if slapd > will start. Sadly not uncommon for alock to report problems incorrectly. Note that with LTB OpenLDAP init script, you can launch the db_recover utility with "service slapd db_recover" Clément.
Re: PID File
2016-12-20 22:35 GMT+01:00 Singley, Norman: > Thanks. Here are the results. I can start googling this result, but I am > kind of a newbie at openldap, so if you know something obvious, let me know. > Thank you very much. > > > # service slapd debug > slapd: [INFO] Using /etc/default/slapd for configuration > slapd: [INFO] Halting OpenLDAP... > slapd: [INFO] Can't read PID file, to stop OpenLDAP try: /etc/init.d/slapd > forcestop > slapd: [INFO] No db_recover done > slapd: [INFO] Launching OpenLDAP... > slapd: [OK] File descriptor limit set to 1024 > 5859a359 @(#) $OpenLDAP: slapd 2.4.36 (Apr 8 2014 12:06:19) $ > usern...@itds120.umt.edu:/u01/app/openldap-2.4.36/servers/slapd > 5859a359 hdb_db_open: database "dc=umt,dc=edu": alock package is unstable. > 5859a359 backend_startup_one (type=hdb, suffix="dc=umt,dc=edu"): bi_db_open > failed! (-1) > 5859a359 slapd stopped The database seems corrupted. You can try to slapcat to get a backup of the data (or try service slapd backup). Then remove all files and reimport data with slapadd (or try service slapd restore). You should then try to upgrade to 2.4.44 and use LMDB backend. Clément.
Re: PID File
2016-12-20 19:34 GMT+01:00 Singley, Norman: > Hi Folks – > > > > I am getting the No PID file for openLDAP error when starting/stopping > slapd. > > > > run]# /etc/init.d/slapd stop > > slapd: [INFO] Using /etc/default/slapd for configuration > > slapd: [INFO] Halting OpenLDAP... > > slapd: [INFO] Can't read PID file, to stop OpenLDAP try: /etc/init.d/slapd > forcestop > > [root@itds120 run]# /etc/init.d/slapd forcestop > > slapd: [INFO] Using /etc/default/slapd for configuration > > slapd: [INFO] Killing OpenLDAP with force... > > slapd: [INFO] Found no OpenLDAP process running with > ldap://oldap.umt.edu:389 ldaps://oldap.umt.edu:636 > > slapd: [INFO] Killing OpenLDAP replication with force... > > slapd: [INFO] Found no slurpd process running > > [root@itds120 run]# ps -ea | grep slapd > > 6723 ?00:00:00 slapd > > [root@itds120 run]# /etc/init.d/slapd start > > slapd: [INFO] Using /etc/default/slapd for configuration > > slapd: [INFO] Launching OpenLDAP configuration test... > > slapd: [OK] OpenLDAP configuration test successful > > slapd: [INFO] No db_recover done > > slapd: [INFO] Launching OpenLDAP... > > slapd: [OK] File descriptor limit set to 1024 > > slapd: [ALERT] No PID file for OpenLDAP > > [root@itds120 run]# ps -ea | grep slapd > > 6723 ?00:00:00 slapd > > > > > > It seems to show that openLDAP is running on this box, but I can’t connect > to it. > > > > The slapd.conf file is attached. > > > > I see a lot of results about this error out there on the web, but most of > the fixes like manually creating the pid file don’t seem to work. If anyone > has any tips I can try, it would be greatly appreciated. > > > > This is a standalone (test oldap, running 2.4.36) on redhat 6. > > Hi, seems you are using LTB OpenLDAP packages, or at least LTB OpenLDAP init script. Try to run: # service slapd debug You should get information on why it is not starting. Clément.
Re: LTB Dwbian packages [was] Re: Creating suffix aliases with OpenLDAP
2016-09-18 11:29 GMT-04:00 Ralf Mattes <r.mat...@mh-freiburg.de>: > > Am Sonntag, 18. September 2016 16:55 CEST, Clément OUDOT > <clem.ou...@gmail.com> schrieb: > > >> >> Hi, >> >> you are right, we did not publish sources as Debian source packages >> and we should do it. >> >> For the moment, you can get the source files here: >> http://tools.ltb-project.org/projects/ltb/repository/show/openldap-deb/trunk/debian > > Is this substantially different from > > git://anonscm.debian.org/pkg-openldap/openldap.git > > That one seems to compile fine on Debian stable and contains the patch for > back-relay that I need so urgent. > Yes, LDAP Tool Box just takes the latest OpenLDAP stable release and publish RPM/Debian packages. It does not provide development versions of OpenLDAP, unless there is a big issue that need to be patched before OpenLDAP official release. Clément.
Re: enforce TLS 1.2 in OpenLDAP server side
Le 11/09/2016 à 03:25, Steve Zeng a écrit : Thanks for the note. So we need to rebuild it against OpenSSL? You can give a try to LDAP Tool Box packages which are built against OpenSSL: * http://ltb-project.org/wiki/documentation/openldap-rpm * http://ltb-project.org/wiki/download#openldap -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
Re: How to enable memberOf overlay with posixGroup?
Le 08/09/2016 à 04:52, Ryan Tandy a écrit : On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote: I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. This is the key issue. A draft schema known as "rfc2307bis" exists, which replaces (!) the published RFC2037 schema with one compatible with groupOfNames. A published solution to this problem does not currently exist. In the past year there have been some discussions on the ldapext list. You can find the archives of that list at: https://www.ietf.org/mailman/listinfo/ldapext Hi, as a workaround, I often create a small connector that synchronises posixGroup objects into groupOfNames. It's really easy to do with LSC (http://www.lsc-project.org). With this, you only manage POSIX groups, and standard groups are updated automatically. You can then use the memberOf overlay on groupOfNames. -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
Re: Change Defaulth ssha passoword encryption algorithm
Le 25/08/2016 à 18:12, Net Warrior a écrit : Hi Guys I need some guidance on this, I configured a ppolicy for a DIT which has all the users in plain password, I added to following to the policy changetype: modify replace: olcPPolicyHashCleartext olcPPolicyHashCleartext: FALSE When the user reset it password, it changes from clear password to encrypted using ssha but I want to store them using md5crypt, what do I need to change in my configuration? See olcPasswordHash parameter. From man slapd-config : olcPasswordHash: [...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed. {CRYPT} uses the crypt(3). {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Note that this option does not alter the normal user applications handling of userPassword during LDAP Add, Modify, or other LDAP operations. This setting is only allowed in the frontend entry. -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
Re: Modification of objectClass failing: how can I get details?
Le 02/08/2016 à 15:32, Côme Chilliet a écrit : Hello, I’m trying to modify an LDAP node to change its objectClasses: dn: cn=canon-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx cn: canon-c5250 description:: Q2Fub24gSVIgQURWIEM1MjUwIA== labeledURI: ipp://127.0.0.1 ipHostnumber: 127.0.0.1 macAddress: 12:12:12:12:12:12 objectClass: top objectClass: gotoPrinter I want to remove gotoPrinter objectClass which is flagged as OBSOLETE and instead use fdPrinter, ipHost and ieee802Device. I try with an ldif with the following content: dn: cn=canon-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx changetype: modify replace: objectClass objectClass: fdPrinter objectClass: ieee802Device objectClass: ipHost objectClass: top I get: ldapadd -D cn=admin,dc=xxx,dc=xxx -f modify.ldif -W ldap_modify: Object class violation (65) How can I get more information? I don’t know which violation that could be, as I am able to insert a second object with no problem which looks like what I want: dn: cn=test-print,ou=printers,ou=systems,dc=xxx,dc=xxx changetype: add cn: test-print description: test labeledURI: ipp://127.0.0.1 ipHostnumber: 127.0.0.1 macAddress: 12:22:12:12:22:22 objectClass: fdPrinter objectClass: ieee802Device objectClass: ipHost objectClass: top Here are the classes definitions: objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter' DESC 'GOto - Gonicus Terminal Concept, objectclass' SUP top STRUCTURAL OBSOLETE MUST ( cn ) MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ ipHostNumber $ gotoUserPrinter $ gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter $ printerWindowsInfFile $ printerWindowsDriverDir $ printerWindowsDriverName) ) objectclass ( 1.3.6.1.4.1.38414.16.2.5 NAME 'fdPrinter' DESC 'FusionDirectory printer class' MUST ( cn ) MAY ( labeledURI $ fdPrinterWindowsInfFile $ fdPrinterWindowsDriverDir $ fdPrinterWindowsDriverName $ fdPrinterUsers $ fdPrinterAdminUsers)) Hello, you can't replace the default structural objectClass of an object (this objectClass is listed in structuralObjectClass operational attribute). You can do it with the relax extension if needed, else, simply remove and add the entry. -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
Re: ContextCSN showing Junk Characters
Le 07/07/2016 19:38, Aaron Richton a écrit : On Thu, 7 Jul 2016, scn...@yahoo.com wrote: Hi, My ldapmaster ContextCSN showing Junk Characters. Please advice how can reset to valid one. contextCSN:: 0CKRuTQrAAA= CentOS 5.8 Openldap Version is OpenLDAP: slapd 2.3.43 Perhaps some unfortunate corruption bug, but seeing as OpenLDAP 2.3.43 was released 2008/07/16 there's a good chance you can get the appropriate bug fix just by upgrading. Somebody else has probably already contributed the hard work in the past eight years. So upgrade to the latest version of OpenLDAP from www.openldap.org, and then any write to the database should write a fresh contextCSN... If you are stuck in CentOS 5 and want to install a recent OpenLDAP with packages, take a look at http://ltb-project.org/wiki/download#openldap -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot