Re: ypldap.conf help - was: Samba4 and OpenBSD
Oh, my mistake.
Needed to change:
binddn"WYNNYCHENKO\Administrator"
to
binddn"WYNNYCHENKO\\Administrator"
also.
Now, when I start ypldap:
# ypldap -dv
...
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees
---
So, at least I seem to be moving forward.
Thanks
-Original Message-
From: Theodore Wynnychenko [mailto:t...@uchicago.edu]
Sent: Monday, January 11, 2016 9:21 AM
To: 'misc'
Subject: RE: ypldap.conf help - was: Samba4 and OpenBSD
On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote:
> On 2016-01-11, Theodore Wynnychenko wrote:
>> directory "ldap://DC1.samba.domain.com:389"; {
>
> afaik this just takes a hostname, not a URL.
Confirmed.
And see also:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
Ciao!
David
--
Thanks for the advice.
So, replacing the 'H "ldap://DC1.samba.domain.com:389";' with '-h
"DC1.samba.domain.com"' in ldapsearch works.
e.g.: ldapsearch -x -h "DC1.samba.domain.com" -D "DOMAIN\Administrator" -w
"password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)"
...
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 4
# numReferences: 3
-
ldapsearch also works if I use '-h "localhost"' or '-h "127.0.0.1"' or '-h
"xxx.yyy.zzz.aaa"'.
But, when I replace the directory line in ypldap.conf to:
directory "DC1.samba.domain.com"
or "localhost" or "127.0.0.1" or the IP address; and start ypldap -dv, I get:
# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
directory DC1.samba.domain.com errored out in search
and it hangs; after a manual break:
ldap client exiting
dns engine exiting
---
The "errored out in search" line changes based on the directory value from
ypldap.conf.
I was wondering if there might be something "different" about the ldap server
included with samba4; but 'man ldapsearch' confirms that it is not anything
"special" from samba, but comes from OpenLDAP:
man ldapsearch
...
ACKNOWLEDGEMENTS
OpenLDAP Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from
University of Michigan LDAP 3.3 Release.
OpenLDAP 2.4.43 2015/11/30 LDAPSEARCH(1)
Therefore, it seems to me that if "this" ldapsearch can get information out of
the
samba ldap server, than ypldap should be able to as well. Right?
A search for the error message above doesn't really lead me anywhere. Any ideas
what the error means?
Thanks again
cat ypldap.conf
...
# Global settings
domain "samba.domain.com"
interval 3600
# Specify the maps that ypldap should provide
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
# Directory declaration
directory "DC1.samba.domain.com" {
binddn"DOMAIN\Administrator"
bindcred "password"
basedn"dc=samba,dc=domain,dc=com"
# passwd maps configuration
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute home maps to "homeDirectory"
attribute gecos maps to "gecos"
# LDAP users are not interactive system users
fixed attribute shell "/sbin/nologin"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "default"
# group maps configuration
group filter "(objectClass=group)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
fixed attribute groupgid "*"
list groupmembers maps to "member"
}
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: ypldap.conf help - was: Samba4 and OpenBSD
On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote:
> On 2016-01-11, Theodore Wynnychenko wrote:
>> directory "ldap://DC1.samba.domain.com:389"; {
>
> afaik this just takes a hostname, not a URL.
Confirmed.
And see also:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
Ciao!
David
--
Thanks for the advice.
So, replacing the 'H "ldap://DC1.samba.domain.com:389";' with '-h
"DC1.samba.domain.com"' in ldapsearch works.
e.g.: ldapsearch -x -h "DC1.samba.domain.com" -D "DOMAIN\Administrator" -w
"password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)"
...
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 4
# numReferences: 3
-
ldapsearch also works if I use '-h "localhost"' or '-h "127.0.0.1"' or '-h
"xxx.yyy.zzz.aaa"'.
But, when I replace the directory line in ypldap.conf to:
directory "DC1.samba.domain.com"
or "localhost" or "127.0.0.1" or the IP address; and start ypldap -dv, I get:
# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
directory DC1.samba.domain.com errored out in search
and it hangs; after a manual break:
ldap client exiting
dns engine exiting
---
The "errored out in search" line changes based on the directory value from
ypldap.conf.
I was wondering if there might be something "different" about the ldap server
included with samba4; but 'man ldapsearch' confirms that it is not anything
"special" from samba, but comes from OpenLDAP:
man ldapsearch
...
ACKNOWLEDGEMENTS
OpenLDAP Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from
University of Michigan LDAP 3.3 Release.
OpenLDAP 2.4.43 2015/11/30 LDAPSEARCH(1)
Therefore, it seems to me that if "this" ldapsearch can get information out of
the
samba ldap server, than ypldap should be able to as well. Right?
A search for the error message above doesn't really lead me anywhere. Any
ideas
what the error means?
Thanks again
cat ypldap.conf
...
# Global settings
domain "samba.domain.com"
interval 3600
# Specify the maps that ypldap should provide
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
# Directory declaration
directory "DC1.samba.domain.com" {
binddn"DOMAIN\Administrator"
bindcred "password"
basedn"dc=samba,dc=domain,dc=com"
# passwd maps configuration
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute home maps to "homeDirectory"
attribute gecos maps to "gecos"
# LDAP users are not interactive system users
fixed attribute shell "/sbin/nologin"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "default"
# group maps configuration
group filter "(objectClass=group)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
fixed attribute groupgid "*"
list groupmembers maps to "member"
}
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: ypldap.conf help - was: Samba4 and OpenBSD
On Mon, Jan 11, 2016 at 9:37 AM, Stuart Henderson wrote:
> On 2016-01-11, Theodore Wynnychenko wrote:
>> directory "ldap://DC1.samba.domain.com:389"; {
>
> afaik this just takes a hostname, not a URL.
Confirmed.
And see also:
http://obfuscurity.com/2009/08/OpenBSD-as-an-LDAP-Client
Ciao!
David
--
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
-- Stewart Nelson
Re: ypldap.conf help - was: Samba4 and OpenBSD
On 2016-01-11, Theodore Wynnychenko wrote:
> directory "ldap://DC1.samba.domain.com:389"; {
afaik this just takes a hostname, not a URL.
ypldap.conf help - was: Samba4 and OpenBSD
Hello again:
First, I will try to document what I did to get samba up as an AD DC in the next
few days (I will note, as an older mail post stated, it takes a "LONG" time for
it to start up when the system boots).
But, I am hoping that someone can help me understand where my ypldap problem is.
As I said:
-
While it seems that I can get all the parts running, I am unable to pull account
information from samba's ldap server through ypldap (no domain accounts with
'getent passwd', only local accounts). (I probably don't understand it well
enough to set up ypldap.conf correctly?)
-
So, all from one of the machines that is a DC (OpenBSD 5.9 GENERIC.MP#1783
amd640 with samba from packages (Version 4.1.22).
First, from the command line, I am able to get data from the ldap server
included with samba. For example:
ldapsearch -x -H "ldap://DC1.samba.domain.com:389"; -D "DOMAIN\Administrator" -w
"password" -b "dc=samba,dc=domain,dc=com" "(objectClass=posixAccount)"
spits out a list of users to the terminal:
...
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 4
# numReferences: 3
---
And:
ldapsearch -x -H "ldap://DC1.samba.domain.com:389"; -D "DOMAIN\Administrator" -w
"password" -b "dc=samba,dc=domain,dc=com" "(objectClass=group)"
gives me:
...
# search result
search: 2
result: 0 Success
# numResponses: 42
# numEntries: 38
# numReferences: 3
---
Using this, I tried to setup ypldap.conf like this:
# Global settings
domain "samba.domain.com"
interval 3600
# Specify the maps that ypldap should provide
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
# Directory declaration
directory "ldap://DC1.samba.domain.com:389"; {
binddn"DOMAIN\Administrator"
bindcred "password"
basedn"dc=samba,dc=domain,dc=com"
# passwd maps configuration
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute home maps to "homeDirectory"
attribute gecos maps to "gecos"
# LDAP users are not interactive system users
fixed attribute shell "/sbin/nologin"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "default"
# group maps configuration
group filter "(objectClass=group)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
fixed attribute groupgid "*"
list groupmembers maps to "member"
}
ypldap -n says the configuration is OK.
But, when I try to run it (after "domainname samba.domain.com" and "ypinit -m
samba.domain.com" and starting portmap):
# ypldap -dv
I get:
---
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
---
and the terminal hangs for longer than it took me to write this email
when I manually break it, I get:
---
ldap client exiting
dns engine exiting
---
It seems to me that I am doing something wrong in setting up ypldap.conf; but,
after spending most of the day (on and off) trying various configuration
changes, nothing has changed. I did change of the group map configuration since
it appears (to me) that the samba ldap database does not provide GID for "group"
entries; but, I don't think that's the problem, is it?
Any ideas would be appreciated.
Thanks
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: ypldap.conf
Hi,
I wonder if your ldap database is correctly, if openldap server
/etc/openldap/slapd.conf should contain
suffix "dc=ufv,dc=br"
rootdn "cn=admin,dc=ufy,dc=br"
or if ldapd /etc/ldapd.conf
namespace "dc=ufv,dc=br" {
rootdn "cn=admin,dc=ufy,dc=br"
If you included ou=appsrv in the suffix / namespace for example as
ou=appsrv,dc=ufy,dc=br that wouldn't work.
I setup ldapd, and populated the database (with data used with openldap
server before). namespace dc=my,dc=internal,dc=local
ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D
cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local
185 Entries
ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D
cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local
'(ObjectClass=posixGroup)'
27 Entries
ldapsearch -H ldapi://%2fvar%2frun%2fldapi -W -D
cn=admin,dc=my,dc=internal,dc=local -b dc=my,dc=internal,dc=local
'(ObjectClass=posixAccount)'
154 Entries
27 Group + 154 Users + 4 ou's = 185
Your search should have worked.
Regards
Nigel Taylor
On 07/04/11 23:38, Friedrich Locke wrote:
I am trying to set my base dn to the dc=ufv,dc=br but i cannot
retrieve group information, here you have it:
Using the full DN, it works ok!
sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br
-b ou=group,dc=ufv,dc=br '(objectClass=posixGroup)'
But when i take out ou=group:
sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br
-b dc=ufv,dc=br '(objectClass=posixGroup)'
It does not work.
Any suggestion(s)?
On Mon, Jul 4, 2011 at 7:09 PM, Nigel Taylor
wrote:
On 07/04/11 21:30, Friedrich Locke wrote:
Hi,
I am trying to get ypldap.conf running and i had a doubt reading
ypldap.conf man page. I configured my ldap server as:
ou=people,dc=ufv,dc=br holding entries for posixAccount, and
ou=groups,dc=ufv,dc=br holding entries for posixGroup.
AFAIK, ypldap.conf has only a single "basedn" directive. Due to my
lack of experience i got confused.
I would be glad to learn from your experience implementing ypdalp if
you would like to chare it.
Thanks once more.
Friedrich.
Hi,
ou organizational unit, is only relevant if you have multiple. So for the
search base you can omit the ou, your find all in ObjectClass posixGroup or
posixAccount. If you had posixAccount in an ou=Sales and ou=Engineering and
wanted to restrict the query to one of those ou's then you give the ou.
Rather than "groups" the ou generally is called "group".
The basedn "dc=ufv,dc=br" is all that is required for more complex you can
put in the filter,
group filter "(&(ObjectClass=PosixGroup)(ou=group))"
as all PosixGroup are in the ou group so ou=group is always true reduces to.
group filter "(ObjectClass=PosixGroup)"
Example extract from my LDIF file...
dn: ou=people,dc=my,dc=internal,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=group,dc=my,dc=internal,dc=local
objectClass: organizationalUnit
ou: group
.
dn: cn=napops,ou=group,dc=my,dc=internal,dc=local
objectClass: posixGroup
objectClass: top
cn: napops
gidNumber: 5025
memberUid: dmell01
memberUid: npope01
.
dn: uid=npope01,ou=people,dc=my,dc=internal,dc=local
uid: npope01
cn: Neil Pope
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 5058354
gidNumber: 5069
gecos: Neil Pope
homeDirectory: /home/npres01
loginShell: /bin/ksh
.
Regards
Nigel Taylor
Re: ypldap.conf
I am trying to set my base dn to the dc=ufv,dc=br but i cannot retrieve group information, here you have it: Using the full DN, it works ok! sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b ou=group,dc=ufv,dc=br '(objectClass=posixGroup)' But when i take out ou=group: sioux@gustav$ ldapsearch -x -w XYZ -D cn=ypldap,ou=appsrv,dc=ufv,dc=br -b dc=ufv,dc=br '(objectClass=posixGroup)' It does not work. Any suggestion(s)? On Mon, Jul 4, 2011 at 7:09 PM, Nigel Taylor wrote: > On 07/04/11 21:30, Friedrich Locke wrote: >> >> Hi, >> >> I am trying to get ypldap.conf running and i had a doubt reading >> ypldap.conf man page. I configured my ldap server as: >> >> ou=people,dc=ufv,dc=br holding entries for posixAccount, and >> ou=groups,dc=ufv,dc=br holding entries for posixGroup. >> >> AFAIK, ypldap.conf has only a single "basedn" directive. Due to my >> lack of experience i got confused. >> I would be glad to learn from your experience implementing ypdalp if >> you would like to chare it. >> >> Thanks once more. >> >> Friedrich. >> >> > Hi, > > ou organizational unit, is only relevant if you have multiple. So for the > search base you can omit the ou, your find all in ObjectClass posixGroup or > posixAccount. If you had posixAccount in an ou=Sales and ou=Engineering and > wanted to restrict the query to one of those ou's then you give the ou. > > Rather than "groups" the ou generally is called "group". > > The basedn "dc=ufv,dc=br" is all that is required for more complex you can > put in the filter, > group filter "(&(ObjectClass=PosixGroup)(ou=group))" > > as all PosixGroup are in the ou group so ou=group is always true reduces to. > > group filter "(ObjectClass=PosixGroup)" > > Example extract from my LDIF file... > > dn: ou=people,dc=my,dc=internal,dc=local > objectClass: organizationalUnit > ou: people > > dn: ou=group,dc=my,dc=internal,dc=local > objectClass: organizationalUnit > ou: group > > . > dn: cn=napops,ou=group,dc=my,dc=internal,dc=local > objectClass: posixGroup > objectClass: top > cn: napops > gidNumber: 5025 > memberUid: dmell01 > memberUid: npope01 > . > > dn: uid=npope01,ou=people,dc=my,dc=internal,dc=local > uid: npope01 > cn: Neil Pope > objectClass: account > objectClass: posixAccount > objectClass: top > uidNumber: 5058354 > gidNumber: 5069 > gecos: Neil Pope > homeDirectory: /home/npres01 > loginShell: /bin/ksh > . > > > Regards > > Nigel Taylor
ypldap.conf
Hi, I am trying to get ypldap.conf running and i had a doubt reading ypldap.conf man page. I configured my ldap server as: ou=people,dc=ufv,dc=br holding entries for posixAccount, and ou=groups,dc=ufv,dc=br holding entries for posixGroup. AFAIK, ypldap.conf has only a single "basedn" directive. Due to my lack of experience i got confused. I would be glad to learn from your experience implementing ypdalp if you would like to chare it. Thanks once more. Friedrich.
Valid ypldap.conf for Active Directory
Does anyone have a working ypldap.conf that can work with AD?
Here4s mine:
# cat
/etc/ypldap.conf
interval 100
domain "osalva.net"
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
directory "ad.osalva.net" {
# directory options
binddn "uxs...@osalva.net"
bindcred "pass123"
basedn "ou=UNIX,dc=osalva,dc=net"
# passwd maps configuration
passwd filter "(&(objectClass=user))"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
fixed attribute shell "/bin/ksh"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class "ldap"
# group maps configuration
group filter "(objectClass=group)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
list groupmembers maps to "memberUid"
}
ypldap -dv gets stuck at:
# ypldap -dv
startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
updates are over, cleaning up trees now
flattening trees
Running ldapsearch returns the info I want, but there might be something
wrong with ypldap configuration.
Please let me know if you have any working setup.
Regards,
--
Eduardo Alvarenga
