Hi Adam,
sorry coz of workload it took me while to revisit my configuration & verify
things you mentioned. As far as I could understand things look quite in
place. I have pasted my configurations mapping exactly yours. Could you
kindly take a look at it for me pls?
PWD=/etc/openldap/slapd.d
# ls -lR
cn=config
cn=config.ldif
./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif
/cn=config/cn=schema:
adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r----- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw------- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw------- 1 openldap openldap 2810 2010-04-01 00:31
cn={2}inetorgperson.ldif
-rw------- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif
-rw------- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw------- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi
./cn=config/olcDatabase={0}config <=== i probably messed this up while
trying multimaster replication, but didnt knw the way how to delete these to
left it there thinking it will not anyway harm my dynlist config. pls
correct me if i'm wrong.
sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
> olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif
> olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif
> olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif
> olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif
> olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif
> olcOverlay={4}syncprov.ldif
>
> adm...@x6:/etc/ldap$ sudo ls
> /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
> olcOverlay={0}dynlist.ldif
>
>
> adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcToolThreads: 1
> structuralObjectClass: olcGlobal
> entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
> creatorsName: cn=config
> createTimestamp: 20100401073034Z
> olcServerID: 1 ldap://x6.testlab.com
> olcServerID: 2 ldap://x6slave.testlab.com
> entryCSN: 20100415071243.393226Z#000000#000#000000
> modifiersName: cn=admin,cn=config
> modifyTimestamp: 20100415071243Z
> contextCSN: 20100415110741.696825Z#000000#000#000000
>
>
> # cat cn\=config/cn\=module\{0\}.ldif
> dn: cn=module{0}
>
> adm...@x6:/etc/ldap$ sudo cat
> /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib/ldap
> olcModuleLoad: {0}back_hdb
> olcModuleLoad: {1}dynlist.la
> olcModuleLoad: {2}syncprov
> structuralObjectClass: olcModuleList
> entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
> creatorsName: cn=localroot,cn=config
> createTimestamp: 20100401073455Z
> entryCSN: 20100414110801.212307Z#000000#000#000000
> modifiersName: cn=admin,cn=config
> modifyTimestamp: 20100414110801Z
>
> adm...@x6:/etc/ldap$ sudo cat
> /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
> dn: olcOverlay={0}dynlist
> objectClass: olcOverlayConfig
> objectClass: olcDynamicList
> olcOverlay: {0}dynlist
> olcDlAttrSet: {0}groupOfNames labeledURI member
> structuralObjectClass: olcDynamicList
> entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
> creatorsName: cn=admin,cn=config
> createTimestamp: 20100406103123Z
> entryCSN: 20100406103123.135808Z#000000#000#000000
> modifiersName: cn=admin,cn=config
> modifyTimestamp: 20100406103123Z
>
>
My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?
Thanks
Shamika
On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi <[email protected]>wrote:
> Thanks for the reply & details Adam
> I shall try matching my config to this & get back to you.
>
> thanks a ton
> Shamika
>
>
> On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough <[email protected]> wrote:
>
>> My guess is that your config on the server is not right. So it looks like
>> you are using the slap.d which is what i am using as well. (I need to
>> upload some updated rpms I think to gradientzero as well).
>>
>> I used this site to help me get my configuration working
>> http://www.zytrax.com/books/ldap/ch6/slapd-config.html
>>
>> So my directory structural looks like:
>>
>> NOTE: While you can edit these files through the filesystem I higly
>> recommend that you edit the files through ldap commands. I use Apache
>> Directory Studio as my GUI type front end and use ldapvi when I just one to
>> make changes to values already in the ldap server and then to make major
>> changes I use ldapmodify to make them.
>>
>> PWD=/etc/openldap/slapd.d
>> # ls -lR
>> .:
>> total 8
>> drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
>> -rw------- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif
>>
>> ./cn=config:
>> total 100
>> -rw------- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif
>> drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema
>> -rw------- 1 ldap ldap 61687 Sep 1 2009 cn=schema.ldif
>> drwxr-x--- 2 ldap ldap 4096 Sep 2 2009 olcDatabase={0}config
>> -rw------- 1 ldap ldap 2067 Nov 12 2009 olcDatabase={0}config.ldif
>> drwxr-x--- 2 ldap ldap 4096 Mar 4 11:36 olcDatabase={1}bdb
>> -rw------- 1 ldap ldap 4093 May 26 16:48 olcDatabase={1}bdb.ldif
>> -rw------- 1 ldap ldap 2041 May 21 13:31 olcDatabase={-1}frontend.ldif
>> -rw------- 1 ldap ldap 522 Sep 1 2009 olcDatabase={2}monitor.ldif
>>
>> /cn=config/cn=schema:
>> ...<SCHEMAS in this directory deleted to make this shorter>.
>>
>>
>> ./cn=config/olcDatabase={0}config:
>> total 4
>> -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif
>>
>> ./cn=config/olcDatabase={1}bdb:
>> total 24
>> -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif
>> -rw------- 1 ldap ldap 474 Sep 2 2009 olcOverlay={1}ppolicy.ldif
>> -rw------- 1 ldap ldap 397 Sep 3 2009 olcOverlay={2}memberof.ldif
>> -rw------- 1 ldap ldap 494 Sep 2 2009 olcOverlay={3}refint.ldif
>> -rw------- 1 ldap ldap 425 Sep 9 2009 olcOverlay={4}dynlist.ldif
>> -rw------- 1 ldap ldap 530 Mar 4 11:36 olcOverlay={5}unique.ldif
>>
>> Now for some listing of my ldifs that you thin you are needing to see.
>>
>> # cat cn\=config.ldif
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcConfigDir: /etc/openldap/slapd.d
>> olcAttributeOptions: lang-
>> olcAuthzPolicy: none
>> olcConnMaxPending: 100
>> olcConnMaxPendingAuth: 1000
>> olcGentleHUP: FALSE
>> olcIdleTimeout: 0
>> olcIndexSubstrIfMaxLen: 4
>> olcIndexSubstrIfMinLen: 2
>> olcIndexSubstrAnyLen: 4
>> olcIndexSubstrAnyStep: 2
>> olcIndexIntLen: 4
>> olcLocalSSF: 71
>> olcReadOnly: FALSE
>> olcReverseLookup: FALSE
>> olcSaslSecProps: noplain,noanonymous
>> olcSockbufMaxIncoming: 262143
>> olcSockbufMaxIncomingAuth: 16777215
>> olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
>> olcTLSVerifyClient: never
>> structuralObjectClass: olcGlobal
>> olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert
>> entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6
>> creatorsName: cn=config
>> createTimestamp: 20090901234827Z
>> olcTLSCRLCheck: none
>> olcTLSCertificateFile: /etc/openldap/cacerts/server.cert
>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem
>> olcServerID: 2 ldaps://2
>> olcServerID: 1 ldaps://1
>> olcServerID: 3 ldaps://3
>> olcPidFile: /var/run/openldap/slapd.pid
>> olcToolThreads: 1
>> olcThreads: 16
>>
>> # cat cn\=config/cn\=module\{0\}.ldif
>> dn: cn=module{0}
>>
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath: /usr/lib64/openldap
>> olcModuleLoad: {0}dynlist.la
>> olcModuleLoad: {1}pcache.la
>> olcModuleLoad: {2}ppolicy.la
>> olcModuleLoad: {3}refint.la
>> olcModuleLoad: {4}retcode.la
>> olcModuleLoad: {5}syncprov.la
>> olcModuleLoad: {6}unique.la
>> olcModuleLoad: {7}memberof.la
>> structuralObjectClass: olcModuleList
>>
>> # cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif
>> dn: olcOverlay={4}dynlist
>> objectClass: olcOverlayConfig
>> objectClass: olcDynamicList
>> olcOverlay: {4}dynlist
>> structuralObjectClass: olcDynamicList
>>
>>
>> I think these should help you find where you have gone wrong with the
>> configuration of the slapd configuration.
>>
>> So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ
>>
>>
>> cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
>> cn: sysadmin
>>
>> objectClass: top
>> objectClass: groupOfNames
>> objectClass: labeledURIObject
>> member: uid=nobody,ou=People,dc=domain,dc=ZZZ
>> labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin)
>>
>> The nobody user is a fake user that is in all my groups the user cannot
>> login the ladelURI says that if a use has host=sysadmin they should be in
>> this group.
>>
>> /etc/ldap.conf:
>> pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
>> pam_member_attribute member
>>
>> Also note that I hacked my schema to allow the host attribute in the
>> PosixAccount users.
>>
>>
>>
>> On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi <[email protected]>wrote:
>>
>>> Hi
>>> I've followed Adam's post below on 'using pam_groupdn to use dynlist' to
>>> my query posted couple of months back and after revisiting this
>>> configuration facing issue with doing ssh to client machine with dynamic
>>> member of the group. It works correctly for the static members of the same
>>> group.Could you figure out if I'm missing something here??
>>>
>>> Currently using Ubuntu 9.10 which uses slapd.d configuration directory.
>>>
>>>
>>> dn: cn=module{0},cn=config
>>> objectClass: olcModuleList
>>> cn: module{0}
>>> olcModulePath: /usr/lib/ldap
>>> olcModuleLoad: {0}back_hdb
>>> *olcModuleLoad: {1}dynlist.la*
>>> olcModuleLoad: {2}syncprov
>>> dn: olcDatabase={1}hdb,cn=config
>>> objectClass: olcDatabaseConfig
>>> objectClass: olcHdbConfig
>>> olcDatabase: {1}hdb
>>> olcDbDirectory: /var/lib/ldap
>>> olcSuffix: dc=testlab,dc=com
>>> olcAccess: {0}to attrs=userPassword,shadowLastChange by
>>> dn="cn=admin,dc=testla
>>> b,dc=com" write by anonymous auth by self write by * none
>>> olcAccess: {1}to dn.base="" by * read
>>> olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read
>>> olcLastMod: TRUE
>>> olcRootDN: cn=admin,dc=testlab,dc=com
>>> olcRootPW: 1234
>>> olcDbCheckpoint: 512 30
>>> olcDbConfig: {0}set_cachesize 0 2097152 0
>>> olcDbConfig: {1}set_lk_max_objects 1500
>>> olcDbConfig: {2}set_lk_max_locks 1500
>>> olcDbConfig: {3}set_lk_max_lockers 1500
>>> olcDbIndex: uid pres,eq
>>> olcDbIndex: cn,sn,mail pres,eq,approx,sub
>>> olcDbIndex: objectClass eq
>>>
>>> *dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
>>> objectClass: olcOverlayConfig
>>> objectClass: olcDynamicList
>>> olcOverlay: {0}dynlist
>>> olcDlAttrSet: {0}groupOfNames labeledURI member*
>>>
>>> *ldap.conf* on client machine contains
>>> # Group to enforce membership of
>>> *pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com*
>>>
>>> # Group member attribute
>>> *pam_member_attribute member**
>>> *
>>> I have added following group
>>> *dn: cn=u910desk,ou=Machines,dc=testlab,dc=com*
>>> cn: u910desk
>>> ipHostNumber: 172.17.5.232
>>> objectClass: top
>>> objectClass: groupOfNames
>>> objectClass: labeledURIObject
>>> objectClass: ipHost*
>>> labeledURI: ldap://
>>> 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29>
>>> *
>>> member: cn=placeholder,dc=testlab,dc=com
>>> member: uid=henry,ou=Users,dc=testlab,dc=com
>>>
>>> Also a user with host=cms3 entry, which should become dynamic member
>>> 'u910desk' after resolving labledURI above
>>>
>>> *dn: uid=jack,ou=Users,dc=testlab,dc=com*
>>> cn: jack
>>> sn: jack
>>> givenName: jack
>>> uid: jack
>>> uidNumber: 1002
>>> gidNumber: 513
>>> homeDirectory: /home/jack
>>> loginShell: /bin/bash
>>> gecos: System User
>>> host: cms3
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: hostobj
>>> shadowMax: 45
>>>
>>>
>>> However when I run search for member of group 'u910desk' it returns
>>> following : member list does not contain entry of user 'jack' here
>>>
>>> $ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com' member
>>> dn: cn=u910desk,ou=Machines,dc=testlab,dc=com
>>> member: cn=placeholder,dc=testlab,dc=com
>>> member: uid=henry,ou=Users,dc=testlab,dc=com
>>>
>>> For same reason(not sure tho) I think I'm not able to ssh to this client
>>> using 'jack', however ssh using 'henry' works it being a static member of
>>> 'u910desk'.
>>>
>>> adm...@u910desk:~$ ssh j...@localhost
>>> j...@localhost's password:
>>> You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com to
>>> login.
>>> Connection closed by ::1
>>> adm...@u910desk:~$
>>> adm...@u910desk:~$
>>> adm...@u910desk:~$
>>> adm...@u910desk:~$ ssh he...@localhost
>>> he...@localhost's password:
>>> Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC
>>> 2009 x86_64
>>>
>>> To access official Ubuntu documentation, please visit:
>>> http://help.ubuntu.com/
>>>
>>> 164 packages can be updated.
>>> 90 updates are security updates.
>>>
>>> Last login: Wed Jun 2 17:10:19 2010 from localhost
>>> he...@u910desk:~$
>>>
>>>
>>> Any help in this matter will be highly appreciated.
>>>
>>> Thanks in advance
>>> Shamika
>>>
>>>
>>>
>>> On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <[email protected]>wrote:
>>>
>>>> I am guessing you are either using RHEL5, Centos5 or some other RHEL5
>>>> based distro. I replaced the openldap that was on my centos5 machines with
>>>> an newer version at 2.4.16+patches.
>>>>
>>>> I have uploaded the rpms and srpms of what I used which you can do a
>>>> drop in replacement of the RHEL5 based openldap rpms.
>>>> http://www.gradientzero.com/openldap/
>>>>
>>>> I do not remember for sure but I think I had to force one or 2 of the
>>>> packages it get it to install but once everyhting is installed then it ran
>>>> fine for me. I have 3 ldap servers using this version setup in a
>>>> multi-master setup.
>>>>
>>>> Since I am doing a multimastet setup, I do not use slapd.conf but rather
>>>> the slapd.d configuration directory though the dynlist overlay should work
>>>> with slapd.conf as well.
>>>>
>>>>
>>>> - Adam
>>>>
>>>>>
>>>>>
>>>>> On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough <[email protected]>wrote:
>>>>>
>>>>>> There are other ways to populate the pam_groupdn that you have
>>>>>> associated with each machine but those all correspond to some attribute
>>>>>> in
>>>>>> the user's profile.
>>>>>>
>>>>>> I have pam_groupdn setup like this
>>>>>>
>>>>>> /etc/ldap.conf:
>>>>>> pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
>>>>>> pam_member_attribute member
>>>>>>
>>>>>> cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
>>>>>> cn: <GROUP_NAME>
>>>>>> objectClass: top
>>>>>> objectClass: groupOfNames
>>>>>> objectClass: labeledURIObject
>>>>>> member: uid=nobody,ou=People, dc=domain,dc=com
>>>>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of
>>>>>> system>)
>>>>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX)
>>>>>>
>>>>>> So as you can see you can have as many labeledURI attributes as you
>>>>>> want or need. I tend to use the host name function of what the host
>>>>>> does.
>>>>>>
>>>>>> This is how my account profile would look:
>>>>>> uid=<MYUSERID>,ou=People,dc=domain,dc=com
>>>>>> host: "cluster"
>>>>>> host: sysadmin
>>>>>>
>>>>>> So "cluster" is a compute cluster that we have and thus for all those
>>>>>> machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and
>>>>>> for
>>>>>> machines where only the sysadmins login to then pam_groupdn
>>>>>> cn=sysadmin,ou=Systems,dc=domain,dc=com.
>>>>>>
>>>>>> As long as you can for a labeledURI:
>>>>>> ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search
>>>>>> you
>>>>>> can use it to auto populate the group.
>>>>>>
>>>>>> Summary:
>>>>>> * Do to not think of the host attribute as host = hostname but as host
>>>>>> = type of machine and that you can have more then one labeledURI per
>>>>>> group
>>>>>> to help populate the group.
>>>>>> * Use good gidNumbers for groups to help auto populate groupOfName
>>>>>> style groups.
>>>>>>
>>>>>>
>>>>>>
>>>>>> - Adam
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hi Adam,
>>>>>>> I'm able to get host auth working by using host attribute.But the
>>>>>>> drawback of that is everytime there a new machine, I have to add that
>>>>>>> host
>>>>>>> to all the users I want to grant access to. If I decide to do it based
>>>>>>> on
>>>>>>> group membership, I can use pam_groupdn but then it does not allow
>>>>>>> multiple
>>>>>>> group entries there, plus it has to be managed on client side,which is
>>>>>>> even
>>>>>>> more undesirable by any administrator.
>>>>>>>
>>>>>>> I went through this article but I'm not sure if it will work if I
>>>>>>> have some members already associated with some groups. Like ldap1 &
>>>>>>> ldap2
>>>>>>> members of qagroup & ldap3 & ldap4 members of sysadmin, would this
>>>>>>> method
>>>>>>> allow me to limit access based on their group membership?? if
>>>>>>> yes...could
>>>>>>> you briefly explain with an example?
>>>>>>>
>>>>>>> Thank for your time in advance
>>>>>>> Shamika
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <[email protected]>wrote:
>>>>>>>
>>>>>>>> Here is is the write up that I read to figure out how to do setup to
>>>>>>>> auto-restrict users to certain hosts.
>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
