Re: ypldap.conf help - was: Samba4 and OpenBSD
Oh, my mistake. Needed to change: binddn"WYNNYCHENKO\Administrator" to binddn"WYNNYCHENKO\\Administrator" also. Now, when I start ypldap: # ypldap -dv ... startup [debug mode] configuration starting applying configuration connecting to directories starting directory update searching password entries searching group entries updates are over, cleaning up trees now flattening trees --- So, at least I seem to be moving forward. Thanks -Original Message- From: Theodore Wynnychenko [mailto:t...@uchicago.edu] Sent: Monday, January 11, 2016 9:21 AM To: 'misc' Subject: RE: ypldap.conf help - was: Samba4 and OpenBSD On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote: > On 2016-01-11, Theodore Wynnychenko wrote: >> directory "ldap://DC1.samba.domain.com:389"; { > > afaik this just takes a hostname, not a URL. Confirmed. And see also: http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client Ciao! David -- Thanks for the advice. So, replacing the 'H "ldap://DC1.samba.domain.com:389";' with '-h "DC1.samba.domain.com"' in ldapsearch works. e.g.: ldapsearch -x -h "DC1.samba.domain.com" -D "DOMAIN\Administrator" -w "password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)" ... # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 4 # numReferences: 3 - ldapsearch also works if I use '-h "localhost"' or '-h "127.0.0.1"' or '-h "xxx.yyy.zzz.aaa"'. But, when I replace the directory line in ypldap.conf to: directory "DC1.samba.domain.com" or "localhost" or "127.0.0.1" or the IP address; and start ypldap -dv, I get: # ypldap -dv startup [debug mode] configuration starting applying configuration connecting to directories starting directory update searching password entries directory DC1.samba.domain.com errored out in search and it hangs; after a manual break: ldap client exiting dns engine exiting --- The "errored out in search" line changes based on the directory value from ypldap.conf. I was wondering if there might be something "different" about the ldap server included with samba4; but 'man ldapsearch' confirms that it is not anything "special" from samba, but comes from OpenLDAP: man ldapsearch ... ACKNOWLEDGEMENTS OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2.4.43 2015/11/30 LDAPSEARCH(1) Therefore, it seems to me that if "this" ldapsearch can get information out of the samba ldap server, than ypldap should be able to as well. Right? A search for the error message above doesn't really lead me anywhere. Any ideas what the error means? Thanks again cat ypldap.conf ... # Global settings domain "samba.domain.com" interval 3600 # Specify the maps that ypldap should provide provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" # Directory declaration directory "DC1.samba.domain.com" { binddn"DOMAIN\Administrator" bindcred "password" basedn"dc=samba,dc=domain,dc=com" # passwd maps configuration passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute home maps to "homeDirectory" attribute gecos maps to "gecos" # LDAP users are not interactive system users fixed attribute shell "/sbin/nologin" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "default" # group maps configuration group filter "(objectClass=group)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" fixed attribute groupgid "*" list groupmembers maps to "member" } [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: ypldap.conf help - was: Samba4 and OpenBSD
On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote: > On 2016-01-11, Theodore Wynnychenko wrote: >> directory "ldap://DC1.samba.domain.com:389"; { > > afaik this just takes a hostname, not a URL. Confirmed. And see also: http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client Ciao! David -- Thanks for the advice. So, replacing the 'H "ldap://DC1.samba.domain.com:389";' with '-h "DC1.samba.domain.com"' in ldapsearch works. e.g.: ldapsearch -x -h "DC1.samba.domain.com" -D "DOMAIN\Administrator" -w "password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)" ... # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 4 # numReferences: 3 - ldapsearch also works if I use '-h "localhost"' or '-h "127.0.0.1"' or '-h "xxx.yyy.zzz.aaa"'. But, when I replace the directory line in ypldap.conf to: directory "DC1.samba.domain.com" or "localhost" or "127.0.0.1" or the IP address; and start ypldap -dv, I get: # ypldap -dv startup [debug mode] configuration starting applying configuration connecting to directories starting directory update searching password entries directory DC1.samba.domain.com errored out in search and it hangs; after a manual break: ldap client exiting dns engine exiting --- The "errored out in search" line changes based on the directory value from ypldap.conf. I was wondering if there might be something "different" about the ldap server included with samba4; but 'man ldapsearch' confirms that it is not anything "special" from samba, but comes from OpenLDAP: man ldapsearch ... ACKNOWLEDGEMENTS OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2.4.43 2015/11/30 LDAPSEARCH(1) Therefore, it seems to me that if "this" ldapsearch can get information out of the samba ldap server, than ypldap should be able to as well. Right? A search for the error message above doesn't really lead me anywhere. Any ideas what the error means? Thanks again cat ypldap.conf ... # Global settings domain "samba.domain.com" interval 3600 # Specify the maps that ypldap should provide provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" # Directory declaration directory "DC1.samba.domain.com" { binddn"DOMAIN\Administrator" bindcred "password" basedn"dc=samba,dc=domain,dc=com" # passwd maps configuration passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute home maps to "homeDirectory" attribute gecos maps to "gecos" # LDAP users are not interactive system users fixed attribute shell "/sbin/nologin" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "default" # group maps configuration group filter "(objectClass=group)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" fixed attribute groupgid "*" list groupmembers maps to "member" } [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: ypldap.conf help - was: Samba4 and OpenBSD
On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote: > On 2016-01-11, Theodore Wynnychenko wrote: >> directory "ldap://DC1.samba.domain.com:389"; { > > afaik this just takes a hostname, not a URL. Confirmed. And see also: http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client Ciao! David -- "If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will." -- Stewart Nelson
Re: ypldap.conf help - was: Samba4 and OpenBSD
On 2016-01-11, Theodore Wynnychenko wrote: > directory "ldap://DC1.samba.domain.com:389"; { afaik this just takes a hostname, not a URL.
ypldap.conf help - was: Samba4 and OpenBSD
Hello again: First, I will try to document what I did to get samba up as an AD DC in the next few days (I will note, as an older mail post stated, it takes a "LONG" time for it to start up when the system boots). But, I am hoping that someone can help me understand where my ypldap problem is. As I said: - While it seems that I can get all the parts running, I am unable to pull account information from samba's ldap server through ypldap (no domain accounts with 'getent passwd', only local accounts). (I probably don't understand it well enough to set up ypldap.conf correctly?) - So, all from one of the machines that is a DC (OpenBSD 5.9 GENERIC.MP#1783 amd640 with samba from packages (Version 4.1.22). First, from the command line, I am able to get data from the ldap server included with samba. For example: ldapsearch -x -H "ldap://DC1.samba.domain.com:389"; -D "DOMAIN\Administrator" -w "password" -b "dc=samba,dc=domain,dc=com" "(objectClass=posixAccount)" spits out a list of users to the terminal: ... # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 4 # numReferences: 3 --- And: ldapsearch -x -H "ldap://DC1.samba.domain.com:389"; -D "DOMAIN\Administrator" -w "password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)" gives me: ... # search result search: 2 result: 0 Success # numResponses: 42 # numEntries: 38 # numReferences: 3 --- Using this, I tried to setup ypldap.conf like this: # Global settings domain "samba.domain.com" interval 3600 # Specify the maps that ypldap should provide provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" # Directory declaration directory "ldap://DC1.samba.domain.com:389"; { binddn"DOMAIN\Administrator" bindcred "password" basedn"dc=samba,dc=domain,dc=com" # passwd maps configuration passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute home maps to "homeDirectory" attribute gecos maps to "gecos" # LDAP users are not interactive system users fixed attribute shell "/sbin/nologin" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "default" # group maps configuration group filter "(objectClass=group)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" fixed attribute groupgid "*" list groupmembers maps to "member" } ypldap -n says the configuration is OK. But, when I try to run it (after "domainname samba.domain.com" and "ypinit -m samba.domain.com" and starting portmap): # ypldap -dv I get: --- startup [debug mode] configuration starting applying configuration connecting to directories starting directory update --- and the terminal hangs for longer than it took me to write this email when I manually break it, I get: --- ldap client exiting dns engine exiting --- It seems to me that I am doing something wrong in setting up ypldap.conf; but, after spending most of the day (on and off) trying various configuration changes, nothing has changed. I did change of the group map configuration since it appears (to me) that the samba ldap database does not provide GID for "group" entries; but, I don't think that's the problem, is it? Any ideas would be appreciated. Thanks [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: ypldap.conf
Hi, I wonder if your ldap database is correctly, if openldap server /etc/openldap/slapd.conf should contain suffix "dc=ufv,dc=br" rootdn "cn=admin,dc=ufy,dc=br" or if ldapd /etc/ldapd.conf namespace "dc=ufv,dc=br" { rootdn "cn=admin,dc=ufy,dc=br" If you included ou=appsrv in the suffix / namespace for example as ou=appsrv,dc=ufy,dc=br that wouldn't work. I setup ldapd, and populated the database (with data used with openldap server before). namespace dc=my,dc=internal,dc=local ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local 185 Entries ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local '(ObjectClass=posixGroup)' 27 Entries ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local '(ObjectClass=posixAccount)' 154 Entries 27 Group + 154 Users + 4 ou's = 185 Your search should have worked. Regards Nigel Taylor On 07/04/11 23:38, Friedrich Locke wrote: I am trying to set my base dn to the dc=ufv,dc=br but i cannot retrieve group information, here you have it: Using the full DN, it works ok! sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b ou=group,dc=ufv,dc=br '(objectClass=posixGroup)' But when i take out ou=group: sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b dc=ufv,dc=br '(objectClass=posixGroup)' It does not work. Any suggestion(s)? On Mon, Jul 4, 2011 at 7:09 PM, Nigel Taylor wrote: On 07/04/11 21:30, Friedrich Locke wrote: Hi, I am trying to get ypldap.conf running and i had a doubt reading ypldap.conf man page. I configured my ldap server as: ou=people,dc=ufv,dc=br holding entries for posixAccount, and ou=groups,dc=ufv,dc=br holding entries for posixGroup. AFAIK, ypldap.conf has only a single "basedn" directive. Due to my lack of experience i got confused. I would be glad to learn from your experience implementing ypdalp if you would like to chare it. Thanks once more. Friedrich. Hi, ou organizational unit, is only relevant if you have multiple. So for the search base you can omit the ou, your find all in ObjectClass posixGroup or posixAccount. If you had posixAccount in an ou=Sales and ou=Engineering and wanted to restrict the query to one of those ou's then you give the ou. Rather than "groups" the ou generally is called "group". The basedn "dc=ufv,dc=br" is all that is required for more complex you can put in the filter, group filter "(&(ObjectClass=PosixGroup)(ou=group))" as all PosixGroup are in the ou group so ou=group is always true reduces to. group filter "(ObjectClass=PosixGroup)" Example extract from my LDIF file... dn: ou=people,dc=my,dc=internal,dc=local objectClass: organizationalUnit ou: people dn: ou=group,dc=my,dc=internal,dc=local objectClass: organizationalUnit ou: group . dn: cn=napops,ou=group,dc=my,dc=internal,dc=local objectClass: posixGroup objectClass: top cn: napops gidNumber: 5025 memberUid: dmell01 memberUid: npope01 . dn: uid=npope01,ou=people,dc=my,dc=internal,dc=local uid: npope01 cn: Neil Pope objectClass: account objectClass: posixAccount objectClass: top uidNumber: 5058354 gidNumber: 5069 gecos: Neil Pope homeDirectory: /home/npres01 loginShell: /bin/ksh . Regards Nigel Taylor
Re: ypldap.conf
I am trying to set my base dn to the dc=ufv,dc=br but i cannot retrieve group information, here you have it: Using the full DN, it works ok! sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b ou=group,dc=ufv,dc=br '(objectClass=posixGroup)' But when i take out ou=group: sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b dc=ufv,dc=br '(objectClass=posixGroup)' It does not work. Any suggestion(s)? On Mon, Jul 4, 2011 at 7:09 PM, Nigel Taylor wrote: > On 07/04/11 21:30, Friedrich Locke wrote: >> >> Hi, >> >> I am trying to get ypldap.conf running and i had a doubt reading >> ypldap.conf man page. I configured my ldap server as: >> >> ou=people,dc=ufv,dc=br holding entries for posixAccount, and >> ou=groups,dc=ufv,dc=br holding entries for posixGroup. >> >> AFAIK, ypldap.conf has only a single "basedn" directive. Due to my >> lack of experience i got confused. >> I would be glad to learn from your experience implementing ypdalp if >> you would like to chare it. >> >> Thanks once more. >> >> Friedrich. >> >> > Hi, > > ou organizational unit, is only relevant if you have multiple. So for the > search base you can omit the ou, your find all in ObjectClass posixGroup or > posixAccount. If you had posixAccount in an ou=Sales and ou=Engineering and > wanted to restrict the query to one of those ou's then you give the ou. > > Rather than "groups" the ou generally is called "group". > > The basedn "dc=ufv,dc=br" is all that is required for more complex you can > put in the filter, > group filter "(&(ObjectClass=PosixGroup)(ou=group))" > > as all PosixGroup are in the ou group so ou=group is always true reduces to. > > group filter "(ObjectClass=PosixGroup)" > > Example extract from my LDIF file... > > dn: ou=people,dc=my,dc=internal,dc=local > objectClass: organizationalUnit > ou: people > > dn: ou=group,dc=my,dc=internal,dc=local > objectClass: organizationalUnit > ou: group > > . > dn: cn=napops,ou=group,dc=my,dc=internal,dc=local > objectClass: posixGroup > objectClass: top > cn: napops > gidNumber: 5025 > memberUid: dmell01 > memberUid: npope01 > . > > dn: uid=npope01,ou=people,dc=my,dc=internal,dc=local > uid: npope01 > cn: Neil Pope > objectClass: account > objectClass: posixAccount > objectClass: top > uidNumber: 5058354 > gidNumber: 5069 > gecos: Neil Pope > homeDirectory: /home/npres01 > loginShell: /bin/ksh > . > > > Regards > > Nigel Taylor
ypldap.conf
Hi, I am trying to get ypldap.conf running and i had a doubt reading ypldap.conf man page. I configured my ldap server as: ou=people,dc=ufv,dc=br holding entries for posixAccount, and ou=groups,dc=ufv,dc=br holding entries for posixGroup. AFAIK, ypldap.conf has only a single "basedn" directive. Due to my lack of experience i got confused. I would be glad to learn from your experience implementing ypdalp if you would like to chare it. Thanks once more. Friedrich.
Valid ypldap.conf for Active Directory
Does anyone have a working ypldap.conf that can work with AD? Here4s mine: # cat /etc/ypldap.conf interval 100 domain "osalva.net" provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" provide map "group.bygid" directory "ad.osalva.net" { # directory options binddn "uxs...@osalva.net" bindcred "pass123" basedn "ou=UNIX,dc=osalva,dc=net" # passwd maps configuration passwd filter "(&(objectClass=user))" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute gecos maps to "cn" attribute home maps to "homeDirectory" fixed attribute shell "/bin/ksh" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "ldap" # group maps configuration group filter "(objectClass=group)" attribute groupname maps to "cn" fixed attribute grouppasswd "*" attribute groupgid maps to "gidNumber" list groupmembers maps to "memberUid" } ypldap -dv gets stuck at: # ypldap -dv startup [debug mode] configuration starting applying configuration connecting to directories starting directory update updates are over, cleaning up trees now flattening trees Running ldapsearch returns the info I want, but there might be something wrong with ypldap configuration. Please let me know if you have any working setup. Regards, -- Eduardo Alvarenga