Need Help on ACL
Hi, Need a help related to ACL. I need to setup some basic ACL for LDAP, I need Manager only should have access to the entire tree both read and write and only users under ou=operation can have a read only access to the tree. Currently i dont have any ACL in the slapd.conf file. Would be great if you can share the ACL. Please help. Regards, /Pradyumna
Mirror mode replication breaks at times.
Hi, I have configured mirror mode replication. It's 2 node. Everything works fine but if I don't work on the server or say 30/40 mins or so and then when I try to add or delete any users or groups it don't get replicated to the other node. Am not getting any error in the logs and if I restart the slapd service it's syncs again and giving expected results. The same setup I have in the test environment and its works like a charm the only difference in this setup is that the 2 servers are hosted on 2 different DC geographically separated where as in test they are in same DC. Am using the openldap version which comes by default with RHEL 6.3. If it would have been a version issue then I should have expected the same result in test as well? Please help. Regards, /Pradyumna Sent from my iPhone
Re: Mirror mode replication breaks at times.
Hi, Thanks you so much. Let me try the same. Regards, /Pradyumna On Tue, Jul 9, 2013 at 12:48 AM, Mark Cairney mark.cair...@ed.ac.uk wrote: Hi, On 08/07/2013 12:47, Pradyumna wrote: Hi, I have configured mirror mode replication. It's 2 node. Everything works fine but if I don't work on the server or say 30/40 mins or so and then when I try to add or delete any users or groups it don't get replicated to the other node. Am not getting any error in the logs and if I restart the slapd service it's syncs again and giving expected results. The same setup I have in the test environment and its works like a charm the only difference in this setup is that the 2 servers are hosted on 2 different DC geographically separated where as in test they are in same DC. In addition to what Quanah has said about running the latest stable release (there was a number of bug fixes for OpenLDAP between now and v 2.4.23) this sounds a bit like a clock syncing/drifting issue, particularly if you have 2 in close proximity that work fine but the 2 that aren't don't. Having been bitten by this myself in the past for MMR to be reliable and successful the clocks on the servers have to match up almost to the millisecond. I'd recommend using ntpd and syncing them all to a common NTP time source. I have a line like this in my /etc/ntp.conf: server my.ntp.servers.IP minpoll 4 maxpoll 6 prefer Am using the openldap version which comes by default with RHEL 6.3. If it would have been a version issue then I should have expected the same result in test as well? Please help. Kind regards, Mark -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: Need help to configure OpenLDAP!!
Hi, Thank you so much .. Fixed the issue as suggested. Regards, /Neo Sent from my iPhone On 02-May-2013, at 12:26 PM, Dieter Klünter die...@dkluenter.de wrote: Am Wed, 1 May 2013 21:30:31 +0530 schrieb pradyumna dash neomatrix...@gmail.com: Hi, Am facing an issue while configuring OpenLDAP. My suffix looks like below in the *slapd.conf* file and apart from the default schema i have used ppolicy. databasebdb suffix dc=example,dc=com,dc=in rootdn cn=Manager,dc=example,dc=com,dc=in Here you declare the root entry dn as dc=example,dc=com,dc=in # SAG: 20100203 overlay ppolicy ppolicy_default cn=default,ou=policies,o=test,dc=example,dc=com,dc=in ppolicy_use_lockout I have prepared the below LDIF to add *test.ldif* == dn: dc=com,dc=in dc: com objectClass: top objectClass: domain dc=com,dc=in is superior to dc=example,dc=com,dc=in but the server has no knowledge of this dn. [...] -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95N 10°08'02,42E
Need help to configure OpenLDAP!!
Hi, Am facing an issue while configuring OpenLDAP. My suffix looks like below in the *slapd.conf* file and apart from the default schema i have used ppolicy. databasebdb suffix dc=example,dc=com,dc=in rootdn cn=Manager,dc=example,dc=com,dc=in # SAG: 20100203 overlay ppolicy ppolicy_default cn=default,ou=policies,o=test,dc=example,dc=com,dc=in ppolicy_use_lockout I have prepared the below LDIF to add *test.ldif* == dn: dc=com,dc=in dc: com objectClass: top objectClass: domain dn: dc=example,dc=com,dc=in dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com,dc=in ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com,dc=in ou: Group objectClass: top objectClass: organizationalUnit Am using the below command to add this LDIF file: *ldapadd -x -W -D cn=Manager,dc=example,dc=com,dc=in -f /opt/test.ldif* But am getting the below error. * adding new entry dc=com,dc=in ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge*** Please help. Regards, /Neo
Re: loadbalancer in OopenLDAP environment
We are running mirror mode replication with Openldap with loadbalancer. Regards, Pradyumna On Wed, Nov 9, 2011 at 11:07 AM, Meike Stone meike.st...@googlemail.comwrote: Hello, does anywhere use loadbalancer in his OpenLDAP setup? I have two locations (data center). In each location I want install a OpenLDAP server who replicate with the other (MM N-Way) Then I want install a few (depends on the load) OpenLDAP ro replicas (replicate from the local OpenLDAP). - In the location are setup loadbalancers who are asked from the local clients. - The loadbalancer direct the searches to the local ro replicas and writes/modifies to the local rw Master. - Only if all local ro resources are down or have a long response time, the loadbalancer redirects the searches to the remote ro replicas. - Same way with write access, if local rw master is down, write/modify access is redirect to the remote rw master. Is this a possible setup? What are the experiences with such setups, can you share them? Are there snares? I saw one example in the admin guide, but it shows 4 loadbalancers. Thats to much for my budget. Thanks for help, Meike
Re: Microsoft Windows Terminal Service integration with OpenLDAP
Hi, What i want is to integrate Windows 2008 to OpenLDAP, i always setup samba for the same, but this time am planning to use pGina, but the issue is while am specifying the ldap plugin, its throwing error. I tried all possible ways but no success. My OpenLDAP server running with TLS so it can talk to 389 as well i think. I dont have any clue about Microsoft LDAP API, if there are some alternate ways apart from pGina please suggest. Regards, Neo On Wed, Oct 5, 2011 at 9:25 PM, Aaron Richton rich...@nbcs.rutgers.eduwrote: On Fri, 30 Sep 2011, pradyumna dash wrote: I would like to know, how to integrate Microsoft windows terminal service with OpenLDAP, can pGINA will help me to achieve this ? or i have to look for something else. pGina's LDAP plugin works reasonably well, performing LDAP Simple Binds via MS's LDAP API. The MS library successfully talks with OpenLDAP. Our Windows admins used pGina+LDAP for a long time, but it was not considered viable as of Windows 7. I have no idea if Microsoft windows terminal service runs on that version or something else...
Not getting Password expiry message
Hi, I have setted up ppolicy schema for password handling, its working fine except am not getting the password expiry message. Is it a known issue or am doing something wrong. am using OpenLDAP 2.4 on SLES 11 SP1 Please suggest. Regards, Neo
Re: Not getting Password expiry message
I am using LDAP for pam login and also SSH login Regards, Neo On Wed, Oct 5, 2011 at 11:07 PM, Christ Schlacta li...@aarcane.org wrote: On 10/5/2011 09:57, pradyumna dash wrote: Hi, I have setted up ppolicy schema for password handling, its working fine except am not getting the password expiry message. Is it a known issue or am doing something wrong. am using OpenLDAP 2.4 on SLES 11 SP1 Please suggest. Regards, Neo ldap for pam login, or ldap for some other form of authentication. please specify.
Microsoft Windows Terminal Service integration with OpenLDAP
Hi, I would like to know, how to integrate Microsoft windows terminal service with OpenLDAP, can pGINA will help me to achieve this ? or i have to look for something else. Please suggest. Regards, Neo
Re: Not able to run OpenLDAP in SLES11
Hi , Sorry for the late response, Was travelling. Today i have fixed it by changing the ldap startup script and also there was an issue with ACL. Thanks for all your support. /Neo On Sun, Sep 18, 2011 at 10:22 AM, anax a...@ayni.com wrote: ACL ? suomi On 2011-09-17 16:34, pradyumna dash wrote: Hi, I am not able to run OpenLDAP, if am trying to configure it from slapd.conf file. Please find the configuration files as attached. When i run the below command i get the output ldapsearch -x -h 192.168,0.1 -D cn=Manager,dc=example,dc=com -b dc=example,dc=com -W but when i try either ldapsearch -x or ldapsearch -x -h 192.168.0.1 -b cn=Manager,dc=example,dc=com it shows : base cn=Manager,dc=example,dc=com with scope subtree filter: (objectclass=*) requesting: ALL #search result search: 2 result: 32 No such object #numResponse: 1 OS : SLES 11 SP1 LDAP : 2.4.20-0.4.29 What i have changed is insted of dynamic backend i am trying to use slapd.conf file so i have changed in /etc/sysconfig/openldap file OPENLDAP_CONFIG_BACKEND=**files. Please suggest how to solve this. Regards, Neo
Re: How to disable cn=config module in OpenLDAP
Hi, Please help. Regards, Neo On Fri, Sep 16, 2011 at 6:26 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Please find the configuration files as attached. When i run the below command i get the output ldapsearch -x -h 192.168,0.1 -D cn=Manager,dc=example,dc=com -b dc=example,dc=com -W but when i try either ldapsearch -x or ldapsearch -x -h 192.168.0.1 -b cn=Manager,dc=example,dc=com it shows : base cn=Manager,dc=example,dc=com with scope subtree filter: (objectclass=*) requesting: ALL #search result search: 2 result: 32 No such object #numResponse: 1 OS : SLES 11 SP1 LDAP : 2.4.20-0.4.29 What i have changed is insted of dynamic backend i am trying to use slapd.conf file so i have changed in /etc/sysconfig/openldap file OPENLDAP_CONFIG_BACKEND=files. Please suggest how to solve this. Regards, Neo On Wed, Sep 14, 2011 at 8:47 PM, Bill MacAllister w...@stanford.eduwrote: --On Wednesday, September 14, 2011 07:46:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, Yes i tried below ldapsearch -x -h l http://somehost.com/dap1.**example.comhttp://dap1.example.com/-b cn=Manager,dc=example,dc=com If that is the command line that you used no wonder you didn't get the results you expected. It asked me to provide the password i have provided that then it shows the same error, nothing came up. Why don't you provide exactly what you typed and and what the response was? Just cut and paste it into a _text_ message. Sending HTML just muddies the waters already murky waters. The -x requests a simple bind and since you have not provided a bind DN or bind password it will attempt an anonymous bind. It is hard to believe that you are seeing what you report. The host where the ldap server is running is actually named 'ldap1.example.com'? I have checked my ldap.conf as well it looks okay. Unless you were going to include the ldap.conf file this statement was a waste of bytes. Bill Regards, Neo On Wed, Sep 14, 2011 at 6:41 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:35:09 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, ldapsearch -x shows the content of LDAP database as well wothout any additional options. I can see the same in one of my servers,I took a dump of the running server by slapcat and restored the same in this server. I can see the data by slapcat but ldapsearch is not working. The box where ldap running fine its using slapd.d backend, but this server i have configured to run from slapd.conf file, can it be a issue with the DB backup and restore as they are both using different backend? Regards, Neo Did you even try my suggestion? The error message that you got back, i.e. 32 no such object is telling you that you have not supplied a baseDN for the search. Bill P.S. Top posting to replies sucks. On Wed, Sep 14, 2011 at 6:29 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:20:03 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: I have fixed this by deleting the slapd.d and also changed the script to read slapd.conf file but now when am trying ldapserach -x its showing 32 no such object but the below command works ldapsearch -LLL -Wx -D cn=Manager,dc=mail,dc=domain,**dc=com why is that ? Because you did it wrong. There is not enough information in your message to tell much more than you contacted an LDAP server and got an error message. You might want to try using a fully specified search and work back from there. For example: ldapsearch -x -h somehost.com -b cn=sometree,dc=domain,dc=com Bill Regards, Neo On Wed, Sep 14, 2011 at 5:34 PM, pradyumna dash neomatrix...@gmail.com wrote: Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo -- Bill MacAllister Infrastructure Delivery Group, Stanford University -- Bill MacAllister Infrastructure Delivery Group, Stanford University -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Re: open LDAP + TLS/SSL bind Failed.
Hi, Did you provide FQDN e.g server1.example.com to the common name section ? while creating the certificate ? Hope the permission of the files are are also correct. Regards, Neo On Fri, Sep 16, 2011 at 9:57 AM, vijay s sheelavantar s_vija...@rediffmail.com wrote: Hi, I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines. I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines. I have created the TLS certificates using following command on the server. openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650 and I have created the client.pem by copying CERTIFICATE portion of the server.pem. When my client try to connect to the server I get following errors. *TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure) * My Configurations are as follows. slapd.conf access to attrs=userPassword by self write by anonymous auth by * none access to * by * read #TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow and client side ldap.conf base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5 nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap netgroup: files ldap automount: files ldap I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself. Kindly help me to solve this problem. http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Treat yourself at a restaurant, spa, resort and much more with *Rediff Deal ho jaye!http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_cid=mailsignature___cmp=signaturelnk=rediffmailsignaturenewservice=deals *
Re: How to disable cn=config module in OpenLDAP
Hi, Please find the configuration files as attached. When i run the below command i get the output ldapsearch -x -h 192.168,0.1 -D cn=Manager,dc=example,dc=com -b dc=example,dc=com -W but when i try either ldapsearch -x or ldapsearch -x -h 192.168.0.1 -b cn=Manager,dc=example,dc=com it shows : base cn=Manager,dc=example,dc=com with scope subtree filter: (objectclass=*) requesting: ALL #search result search: 2 result: 32 No such object #numResponse: 1 OS : SLES 11 SP1 LDAP : 2.4.20-0.4.29 What i have changed is insted of dynamic backend i am trying to use slapd.conf file so i have changed in /etc/sysconfig/openldap file OPENLDAP_CONFIG_BACKEND=files. Please suggest how to solve this. Regards, Neo On Wed, Sep 14, 2011 at 8:47 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 07:46:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, Yes i tried below ldapsearch -x -h l http://somehost.com/dap1.**example.comhttp://dap1.example.com/-b cn=Manager,dc=example,dc=com If that is the command line that you used no wonder you didn't get the results you expected. It asked me to provide the password i have provided that then it shows the same error, nothing came up. Why don't you provide exactly what you typed and and what the response was? Just cut and paste it into a _text_ message. Sending HTML just muddies the waters already murky waters. The -x requests a simple bind and since you have not provided a bind DN or bind password it will attempt an anonymous bind. It is hard to believe that you are seeing what you report. The host where the ldap server is running is actually named 'ldap1.example.com'? I have checked my ldap.conf as well it looks okay. Unless you were going to include the ldap.conf file this statement was a waste of bytes. Bill Regards, Neo On Wed, Sep 14, 2011 at 6:41 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:35:09 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, ldapsearch -x shows the content of LDAP database as well wothout any additional options. I can see the same in one of my servers,I took a dump of the running server by slapcat and restored the same in this server. I can see the data by slapcat but ldapsearch is not working. The box where ldap running fine its using slapd.d backend, but this server i have configured to run from slapd.conf file, can it be a issue with the DB backup and restore as they are both using different backend? Regards, Neo Did you even try my suggestion? The error message that you got back, i.e. 32 no such object is telling you that you have not supplied a baseDN for the search. Bill P.S. Top posting to replies sucks. On Wed, Sep 14, 2011 at 6:29 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:20:03 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: I have fixed this by deleting the slapd.d and also changed the script to read slapd.conf file but now when am trying ldapserach -x its showing 32 no such object but the below command works ldapsearch -LLL -Wx -D cn=Manager,dc=mail,dc=domain,**dc=com why is that ? Because you did it wrong. There is not enough information in your message to tell much more than you contacted an LDAP server and got an error message. You might want to try using a fully specified search and work back from there. For example: ldapsearch -x -h somehost.com -b cn=sometree,dc=domain,dc=com Bill Regards, Neo On Wed, Sep 14, 2011 at 5:34 PM, pradyumna dash neomatrix...@gmail.com wrote: Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo -- Bill MacAllister Infrastructure Delivery Group, Stanford University -- Bill MacAllister Infrastructure Delivery Group, Stanford University -- Bill MacAllister Infrastructure Delivery Group, Stanford University myldap.conf Description: Binary data myldap_1.conf Description: Binary data myslapd.conf Description: Binary data
How to disable cn=config module in OpenLDAP
Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo
Re: How to disable cn=config module in OpenLDAP
I have fixed this by deleting the slapd.d and also changed the script to read slapd.conf file but now when am trying ldapserach -x its showing 32 no such object but the below command works ldapsearch -LLL -Wx -D cn=Manager,dc=mail,dc=domain,dc=com why is that ? Regards, Neo On Wed, Sep 14, 2011 at 5:34 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo
Re: How to disable cn=config module in OpenLDAP
Hi, ldapsearch -x shows the content of LDAP database as well wothout any additional options. I can see the same in one of my servers,I took a dump of the running server by slapcat and restored the same in this server. I can see the data by slapcat but ldapsearch is not working. The box where ldap running fine its using slapd.d backend, but this server i have configured to run from slapd.conf file, can it be a issue with the DB backup and restore as they are both using different backend? Regards, Neo On Wed, Sep 14, 2011 at 6:29 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:20:03 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: I have fixed this by deleting the slapd.d and also changed the script to read slapd.conf file but now when am trying ldapserach -x its showing 32 no such object but the below command works ldapsearch -LLL -Wx -D cn=Manager,dc=mail,dc=domain,**dc=com why is that ? Because you did it wrong. There is not enough information in your message to tell much more than you contacted an LDAP server and got an error message. You might want to try using a fully specified search and work back from there. For example: ldapsearch -x -h somehost.com -b cn=sometree,dc=domain,dc=com Bill Regards, Neo On Wed, Sep 14, 2011 at 5:34 PM, pradyumna dash neomatrix...@gmail.com wrote: Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Re: How to disable cn=config module in OpenLDAP
Hi, Yes i tried below ldapsearch -x -h l http://somehost.com/dap1.example.com -b cn=Manager,dc=example,dc=com It asked me to provide the password i have provided that then it shows the same error, nothing came up. I have checked my ldap.conf as well it looks okay. Regards, Neo On Wed, Sep 14, 2011 at 6:41 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:35:09 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, ldapsearch -x shows the content of LDAP database as well wothout any additional options. I can see the same in one of my servers,I took a dump of the running server by slapcat and restored the same in this server. I can see the data by slapcat but ldapsearch is not working. The box where ldap running fine its using slapd.d backend, but this server i have configured to run from slapd.conf file, can it be a issue with the DB backup and restore as they are both using different backend? Regards, Neo Did you even try my suggestion? The error message that you got back, i.e. 32 no such object is telling you that you have not supplied a baseDN for the search. Bill P.S. Top posting to replies sucks. On Wed, Sep 14, 2011 at 6:29 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, September 14, 2011 06:20:03 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: I have fixed this by deleting the slapd.d and also changed the script to read slapd.conf file but now when am trying ldapserach -x its showing 32 no such object but the below command works ldapsearch -LLL -Wx -D cn=Manager,dc=mail,dc=domain,dc=com why is that ? Because you did it wrong. There is not enough information in your message to tell much more than you contacted an LDAP server and got an error message. You might want to try using a fully specified search and work back from there. For example: ldapsearch -x -h somehost.com -b cn=sometree,dc=domain,dc=com Bill Regards, Neo On Wed, Sep 14, 2011 at 5:34 PM, pradyumna dash neomatrix...@gmail.com wrote: Hi , Can i disable cn=config module, I just want to use plain old slapd.conf file. How to disable that. So that LDAP wont use the directory. Am using SLES 11 SP1 and i tried deleteting the directory but if i am unable to restart the service. Regards, Neo -- Bill MacAllister Infrastructure Delivery Group, Stanford University -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Re: Need Help On Master-Master Replication Setup!!
Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Need Help On Master-Master Replication Setup!!
So i dont need to put the FQDN of the LB in the cert, right ? Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert. Regards, Neo On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian dan...@up247solution.comwrote: The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 ldapserver3 for the subjectAltName field. Google with subjectAltName you should be able to find a lot of information how to do that. On 11-09-11 2:48 PM, pradyumna dash wrote: Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Need Help On Master-Master Replication Setup!!
Thank you so much, I will try it tomorrow in case of any issues will get back. As suggested, I will put the FQDN of 3 LDAP servers and also the FQDN of the VIP in the cert and create it. Once again thanks for all your help. /Neo On Sun, Sep 11, 2011 at 9:32 PM, Daniel Qian dan...@up247solution.comwrote: The subjectAltName should be a comma separated list of all the FQDNs of your servers plus FQDN for the VIP as Chris just pointed out in his reply. On 11-09-11 3:28 PM, pradyumna dash wrote: So i dont need to put the FQDN of the LB in the cert, right ? Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert. Regards, Neo On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian dan...@up247solution.comwrote: The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 ldapserver3 for the subjectAltName field. Google with subjectAltName you should be able to find a lot of information how to do that. On 11-09-11 2:48 PM, pradyumna dash wrote: Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Need Help On Master-Master Replication Setup!!
You mean to say if server1.example.com would be my VIP FQDN then the entries should be like this subjectAltName = “DNS:server1.example.com, DNS:ldap-1.example.com, DNS: ldap-2.example.com,DNS: ldap-3.example.com” Regards, Neo On Sun, Sep 11, 2011 at 9:21 PM, Chris Jacobs chris.jac...@apollogrp.eduwrote: Remember to include the VIP name in the subjectaltname list - some clients ignore the subject name if subjectaltname exists. - chris Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jac...@apollogrp.edu -- *From*: openldap-technical-boun...@openldap.orgopenldap-technical-boun...@openldap.org *To*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Sun Sep 11 12:09:30 2011 *Subject*: Re: Need Help On Master-Master Replication Setup!! The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 ldapserver3 for the subjectAltName field. Google with subjectAltName you should be able to find a lot of information how to do that. On 11-09-11 2:48 PM, pradyumna dash wrote: Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Re: Need Help On Master-Master Replication Setup!!
Thank you so much, I will configure it tomorrow and get back with the results :) Regards, Neo On Sun, Sep 11, 2011 at 9:52 PM, Chris Jacobs chris.jac...@apollogrp.eduwrote: Yes, you do. Subect : vip/lb Subjectaltnames : server1, server2, etc, vip/lb Clients will 'use' the vip/lb name (including slaves); the servers will use server names for syncing. - chris Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jac...@apollogrp.edu -- *From*: openldap-technical-boun...@openldap.orgopenldap-technical-boun...@openldap.org *To*: dan...@up247solution.com dan...@up247solution.com *Cc*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Sun Sep 11 12:28:20 2011 *Subject*: Re: Need Help On Master-Master Replication Setup!! So i dont need to put the FQDN of the LB in the cert, right ? Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert. Regards, Neo On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian dan...@up247solution.comwrote: The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 ldapserver3 for the subjectAltName field. Google with subjectAltName you should be able to find a lot of information how to do that. On 11-09-11 2:48 PM, pradyumna dash wrote: Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Re: Need Help On Master-Master Replication Setup!!
Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Need Help On Master-Master Replication Setup!!
Hi, This is the setup I would like to have. LDAP clients _|___ | __LoadBalancer1_ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g ldapserver.example.com and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using openssl ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.comldap2.example.com So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash neomatrix...@gmail.com wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Need Help On Master-Master Replication Setup!!
Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 serversldap1.example.com and ldap2.example.com I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? Please help me. Regards, Neo
Re: Assigning Groups to LDAP users
Hi, I have configured SUDO with OpenLDAP. I have created a group called sysadm and assign the below commands which the users belong to this group can execute. Now created a user called bob and assign him to this group. When am logging in as bob, and run sudo -l, its asking me for the password and after i put the correct password its showing me the sudoCommand list. But it also executes the command !/sbin/route too which he should not able to execute, why its happening? did i do anything wrong. dn: cn=%sysadm,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %sysadm sudoUser: %sysadm sudoHost: ALL sudoOption: !authenticate structuralObjectClass: sudoRole entryUUID: d6819d80-5c39-1030-9d7c-19f66ff1c84f creatorsName: cn=Manager,dc=example,dc=com createTimestamp: 20110816095703Z sudoCommand: /sbin/shutdown sudoCommand: /sbin/halt sudoCommand: /sbin/reboot sudoCommand: /sbin/yast sudoCommand: /sbin/yast2 sudoCommand: /sbin/date sudoCommand: /sbin/kill sudoCommand: /usr/bin/killall sudoCommand: /usr/bin/passwd sudoCommand: /bin/su sudoCommand: /bin/rpm sudoCommand: /sbin/ifconfig sudoCommand: /sbin/ifup sudoCommand: !/sbin/route entryCSN: 20110826090949.582253Z#00#000#00 modifiersName: cn=manager,dc=example,dc=com modifyTimestamp: 20110826090949Z Regards, Neo On Wed, Aug 10, 2011 at 10:11 AM, pradyumna dash neomatrix...@gmail.comwrote: Guys, I have a query, lets take a scenario : Assume we have 2 servers Server1 and Server2 and 2 groups Admin and ITTech, What is needed is like say when a user bob logging in to Server1 he will get the group Admin, but when he logs in to Server2 he will get group ITTech. Also it may vary for different users like when Kris logs in to Server1 he may get a group called ITTech and when he logs in to Server2 he will get some other group say Security. Can it be possible by OpenLDAP ? If this is achieved then we are planning to have SUDO files based on the grooups. It would be great if you can provide me some pointers or how-to. Regards, Neo
Re: TLS issue with SLES11
Hi, Thanks for your suggestions, now able to fix this issue. The issue was in my ldap.conf file, I just did ssl on, and now everything seems to be working. and also modified the /etc/sysconfig/openldap file. Regards, Pradyumna On Mon, Aug 29, 2011 at 1:34 PM, pradyumna dash neomatrix...@gmail.comwrote: Hi, Thanks for your valuable comments, What i would like to configure is ldaps:// , I did it with RHAT distribution before, but dont know why its not working in SLES. I am sure am doing something wrong. I am just trying the steps once again, and will update you all. But if you have any good URL for the above, please share. Regards, Pradyumna On Mon, Aug 29, 2011 at 1:25 PM, Buchan Milne bgmi...@staff.telkomsa.netwrote: On Saturday, 27 August 2011 12:23:38 pradyumna dash wrote: Hi, I want to achieve ldaps, that means all the communication should use 636 port, You had done the configuration to *allow* encrypted communication. i have changed the parameters in the /etc/openldap/sysconfig file, but no luck. Well, I don't know which of the following two you are trying to achieve: 1)Force all communication to be to a process listening on port 636 2)Force all communication to be via ldaps:/// 3)Force all communication to be encrypted to a specific strength Note that (1) may not achieve (3), and (2) might prevent clients that are capable of achieving (3) but not (2) from working. Most likely you want to look at the 'security' statement covered in slapd.conf(5) to achieve (3). Regards, Buchan
Re: TLS issue with SLES11
Hi, Thanks for your valuable comments, What i would like to configure is ldaps:// , I did it with RHAT distribution before, but dont know why its not working in SLES. I am sure am doing something wrong. I am just trying the steps once again, and will update you all. But if you have any good URL for the above, please share. Regards, Pradyumna On Mon, Aug 29, 2011 at 1:25 PM, Buchan Milne bgmi...@staff.telkomsa.netwrote: On Saturday, 27 August 2011 12:23:38 pradyumna dash wrote: Hi, I want to achieve ldaps, that means all the communication should use 636 port, You had done the configuration to *allow* encrypted communication. i have changed the parameters in the /etc/openldap/sysconfig file, but no luck. Well, I don't know which of the following two you are trying to achieve: 1)Force all communication to be to a process listening on port 636 2)Force all communication to be via ldaps:/// 3)Force all communication to be encrypted to a specific strength Note that (1) may not achieve (3), and (2) might prevent clients that are capable of achieving (3) but not (2) from working. Most likely you want to look at the 'security' statement covered in slapd.conf(5) to achieve (3). Regards, Buchan
Re: TLS issue with SLES11
Hi, I want to achieve ldaps, that means all the communication should use 636 port, i have changed the parameters in the /etc/openldap/sysconfig file, but no luck. Regards, Pradyumna On Sat, Aug 27, 2011 at 12:11 PM, Benjamin Griese der.dar...@gmail.comwrote: Hello, I don't clearly understand what you're trying to achieve? There are two possible ways to do encrypted connections: - with StartTLS via Port 389 (ldap:// - non-encrypted connections are still possible, if onfigured in your slapd config) - with SSL/TLS via 639 (ldaps://) You can disable/enable each way in your /etc/sysconfig/openldap file. Please read this: http://www.openldap.org/faq/data/cache/185.html Bye, Benjamin On Sat, Aug 27, 2011 at 12:00, pradyumna dash neomatrix...@gmail.comwrote: List, It would be great if someone can share doc on TLS with OpenLDAP configuration on SLES 11, I tried all the possible ways to make it happen but no luck. I tried with both yast2 and by CA.pl and openssl commands, but no luck, When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to the hostname, When i check the logs it shows the destination port its showing is 389. But when i try ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents, dont know whats wrong, I also tried to open /etc/sysconfig/openldap and assigned the LDAP service to run on 127.0.0.1, but if i do so then its not able to get the server. Please help. Regards, Neo -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Re: Assigning Groups to LDAP users
HI, Please find the contents as below. dn: cn=pradyumna,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: posixAccount cn: pradyumna uid: pradyumna sn: dash structuralObjectClass: inetOrgPerson entryUUID: c479788c-5b6d-1030-9d75-19f66ff1c84f creatorsName: cn=manager,dc=example,dc=com createTimestamp: 20110815093616Z uidNumber: 507 gidNumber: 100 homeDirectory: /home/pradyumna loginShell: /bin/bash userPassword:: e1NTSEF9Q1lrZTVOQTM5ZUppSVlzL1YwbnR2a0pGemQ1ekVxbWQ= entryCSN: 20110815130355.986136Z#00#000#00 modifiersName: cn=Manager,dc=example,dc=com modifyTimestamp: 20110815130355Z dn: cn=m3,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: groupOfNames gidNumber: 100 cn: m3 structuralObjectClass: groupOfNames entryUUID: 15582474-5b73-1030-9d76-19f66ff1c84f creatorsName: cn=manager,dc=example,dc=com createTimestamp: 20110815101419Z memberUid: pradyumna member: cn=test,ou=People,dc=example,dc=com entryCSN: 20110815130141.119665Z#00#000#00 modifiersName: cn=manager,dc=example,dc=com modifyTimestamp: 20110815130141Z I think this is what you asked for. Regards, Neo On Mon, Aug 15, 2011 at 6:36 PM, Dmitriy Kirhlarov di...@higis.ru wrote: 15.08.2011 17:24, pradyumna dash пишет: Hi, I have create 2 groups and modified the ldap.conf file in the client as below nss_base_passwd ou=people,dc=example,dc=com?**one nss_base_shadow ou=people,dc=example,dc=com?**one nss_base_group ou=Group,dc=example,dc=com?one From the client when i run getent i can see my groups and users, but when i login to a user and try id it shows me the primary group not the secondary groups i have added. Could you, please, show DN of primary and secondary groups and body of this objects (object classes and attributes). WBR I am using SLES 11 SP1. Regards, Pradyumna 2011/8/15 Dmitriy Kirhlarov di...@higis.ru mailto:di...@higis.ru please, keep a list address in the Cc. WNBR On 08/14/2011 04:20 PM, pradyumna dash wrote: Thank you so much. I will try it this week and get back to you in case of any issues. Thanks for your time. Regards, Pradyumna 2011/8/14 Dmitriy Kirhlarov di...@higis.ru mailto:di...@higis.ru mailto:di...@higis.ru mailto:di...@higis.ru On 08/14/2011 03:18 PM, pradyumna dash wrote: Hi, Thank you so much. I have never worked a lot on nss_ldap so asking some basic questions. As per you said you guys are running the same in your env. ldap: personals user groups: ou=groups,o=company first project groups: cn=group1,ou=project1,o=__**company cn=group2,ou=project1,o=__**company -- Do i need to create separate OU's for different groups? Up to you. You need some separator between projects. It can be branch in the tree, or scope base in filter configuration from nss_ldap.conf file. We are prefer branches. It's more readable, when you have many groups and many projects. second project groups: cn=group1,ou=project2,o=__**company cn=group2,ou=project2,o=__**company -- How i can specify the users who are a part of which group? cn=group1,ou=project1,o=**company objectClass: posixGroup cn: group1 gidNumber: 1000 description: project1 admin group memberUid: user1 memberUid: user2 memberUid: user3 Server1 nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project1,o=company?one --The syntax in the conf file will be like above ?? Because i have never used ?sub and ?one It's URI (http://en.wikipedia.org/wiki/**URI_schemehttp://en.wikipedia.org/wiki/URI_scheme http://en.wikipedia.org/wiki/**__URI_schemehttp://en.wikipedia.org/wiki/__URI_scheme http://en.wikipedia.org/wiki/**__URI_schemehttp://en.wikipedia.org/wiki/__URI_scheme http://en.wikipedia.org/wiki/**URI_schemehttp://en.wikipedia.org/wiki/URI_scheme) syntax. You should to write second part of URI (after connection description) with base, scope and filter. Server2 nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project2,o=company?one Also if you can help, am trying pwdReset for my ldap users, in the ppolicy.schema file i have uncommented this attribute but not able
Re: Assigning Groups to LDAP users
Hi, I have create 2 groups and modified the ldap.conf file in the client as below nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one From the client when i run getent i can see my groups and users, but when i login to a user and try id it shows me the primary group not the secondary groups i have added. I am using SLES 11 SP1. Regards, Pradyumna 2011/8/15 Dmitriy Kirhlarov di...@higis.ru please, keep a list address in the Cc. WNBR On 08/14/2011 04:20 PM, pradyumna dash wrote: Thank you so much. I will try it this week and get back to you in case of any issues. Thanks for your time. Regards, Pradyumna 2011/8/14 Dmitriy Kirhlarov di...@higis.ru mailto:di...@higis.ru On 08/14/2011 03:18 PM, pradyumna dash wrote: Hi, Thank you so much. I have never worked a lot on nss_ldap so asking some basic questions. As per you said you guys are running the same in your env. ldap: personals user groups: ou=groups,o=company first project groups: cn=group1,ou=project1,o=**company cn=group2,ou=project1,o=**company -- Do i need to create separate OU's for different groups? Up to you. You need some separator between projects. It can be branch in the tree, or scope base in filter configuration from nss_ldap.conf file. We are prefer branches. It's more readable, when you have many groups and many projects. second project groups: cn=group1,ou=project2,o=**company cn=group2,ou=project2,o=**company -- How i can specify the users who are a part of which group? cn=group1,ou=project1,o=__**company objectClass: posixGroup cn: group1 gidNumber: 1000 description: project1 admin group memberUid: user1 memberUid: user2 memberUid: user3 Server1 nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project1,o=company?one --The syntax in the conf file will be like above ?? Because i have never used ?sub and ?one It's URI (http://en.wikipedia.org/wiki/**__URI_schemehttp://en.wikipedia.org/wiki/__URI_scheme http://en.wikipedia.org/wiki/**URI_schemehttp://en.wikipedia.org/wiki/URI_scheme) syntax. You should to write second part of URI (after connection description) with base, scope and filter. Server2 nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project2,o=company?one Also if you can help, am trying pwdReset for my ldap users, in the ppolicy.schema file i have uncommented this attribute but not able to load the schema, if you can give me some pointers would be appreciated. What i want is when firsttime any user logs in he will asked to change his password. 1. try to start slapd with -d config 2. take a look to http://www.zytrax.com/books/__**ldap/ch6/ppolicy.htmlhttp://www.zytrax.com/books/__ldap/ch6/ppolicy.html http://www.zytrax.com/books/**ldap/ch6/ppolicy.htmlhttp://www.zytrax.com/books/ldap/ch6/ppolicy.html WBR Regards, Neo I am not a expert in OpenLDAP so please help me. 2011/8/14 Dmitriy Kirhlarov di...@higis.ru mailto:di...@higis.ru mailto:di...@higis.ru mailto:di...@higis.ru Hi. On 08/12/2011 07:40 PM, Buchan Milne wrote: On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote: Guys, I have a query, lets take a scenario : Assume we have 2 servers Server1 and Server2 and 2 groups Admin and ITTech, What is needed is like say when a user bob logging in to Server1 he will get the group Admin, but when he logs in to Server2 he will get group ITTech. Also it may vary for different users like when Kris logs in to Server1 he may get a group called ITTech and when he logs in to Server2 he will get some other group say Security. Can it be possible by OpenLDAP ? IMHO, this is a bad idea. It will specifically be problematic if you have any files shared/replicated/backed up between servers (e.g. via NFS). We are using this functionality without any problems. :) This is feature of nss_ldap. ldap: personals user groups: ou=groups,o=company first project groups: cn=group1,ou=project1,o=**company cn=group2,ou
pwdReset error!
Hi, I would like that my LDAP users should be change their password for the first time login. But when am adding pwdReset attribute to ppolicy.schema file its throwing me error and ppolicy schema file is not getting loaded. Please help. Regards, Pradyumna
Assigning Groups to LDAP users
Guys, I have a query, lets take a scenario : Assume we have 2 servers Server1 and Server2 and 2 groups Admin and ITTech, What is needed is like say when a user bob logging in to Server1 he will get the group Admin, but when he logs in to Server2 he will get group ITTech. Also it may vary for different users like when Kris logs in to Server1 he may get a group called ITTech and when he logs in to Server2 he will get some other group say Security. Can it be possible by OpenLDAP ? If this is achieved then we are planning to have SUDO files based on the grooups. It would be great if you can provide me some pointers or how-to. Regards, Neo
Re: Issue while Centralizing SUDO with OpenLDAP
Hi Buchan, Thanks for your reply. I have tried but the schema is not getting loaded, dont know why. I have tried the same setup with centos and redhat it looks perfect. I am using SuSE Enterprise 11. Regards, Pradyumna On Tue, May 17, 2011 at 9:11 AM, Buchan Milne bgmi...@staff.telkomsa.netwrote: On Monday, 16 May 2011 17:38:31 pradyumna dash wrote: Hi, I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue. [...] t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry cn=defaults,ou=SUDOers,dc=example,dc=com ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults Please verify that you have actually included the sudoers.schema in your configuration, and that slapd was restarted after that. You could check that the objectclass exists in your server. In my case: $ ldapsearch -x -s base -b cn=subschema objectclasses|perl -p0e 's/\n //g' | grep -i sudo objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) Regards, Buchan
