[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: help troubleshooting
- To: openldap-technical@openldap.org
- Subject: Re: help troubleshooting
- From: scar <scar@drigon.com>
- Date: Tue, 7 Feb 2017 17:01:39 -0700
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=drigon.com; s=20150326; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fmAZunvWoI808ku9guEW410rQieJYkteNoP/PX+BX8g=; b=ccLHSAh+eaAqV9wIAKvpWXlNbl AiHlila9bI6n7fO3GQA2FehhTYgrBjMpSlDilt560N1eFm9ANJtDNLW04sGkc1TTVV7gz/04ibyv/ xI5JEgj6qka2s4+hnWBQMGjdZHnERx8n2X9tWuJkI3iCG2m0A9F35PkMh4Ore7Wl1NZDtFAgQbu3r 1VJt+919CxHAY8aakQrubPocGMhVK735UW+GHC1WLWeQYFqD3MRd2YYi6WpDnliBy+37eFxDSW8Rg oXMYGtjeumJgVwiIJtnxzo0kyfRch97AQ9ghPjH0Q3vvRMMZOGMNnwQ7r+GUn4z5ziWDZlUd2ajMi KZRhD4Zg==;
- In-reply-to: <C65D358754E6DEA99CA58F20@[192.168.1.30]>
- References: <0d0720fd-8678-7d16-2f16-330a1ac68502@drigon.com> <WM!fb0eded44b9345d638603402e962432a04e8d62377cd944bb11af50e38a73c54005b1691557392e9793eff9a8f8cfccb!@mailstronghold-1.zmailcloud.com> <C65D358754E6DEA99CA58F20@[192.168.1.30]>
Quanah Gibson-Mount wrote on 01/31/2017 05:25 PM:
--On Monday, January 30, 2017 7:08 PM -0700 scar <scar@drigon.com> wrote:
However, this brings me to the next problem: the contents of slapd.conf
do not match the slapd.d/cn\=config.ldif file, so it seems the fixes i am
trying to the ACL's don't have any effect, even when i restart slapd.
If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and
remove slapd.d/* and then start slapd, the contents are recreated
according to the config file, but then users can't login (all i see in
the logfile is access_allowed and slap_access_allowed but no conn lines)
If you are using the configuration backend for slapd, then you can
ignore the slapd.conf file entirely, and simply use the ldapmodify
command to modify your access rules. I suggest reading the ldapmodify
manual page for information on how to properly execute it. If you are
using a distribution provided build of OpenLDAP, the necessary steps may
depend on how they configured things.
Well it's kind of a mess here and my lack of experience with LDAP isn't
helping much. There is no slapd-config program although there is a
manual page entry for it. "yum whatprovides */slapd-config" returns no
packages.
I was able to enable users to change their passwords by directly
modifying /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
and adding these lines to the bottom:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn.base="cn=Manager,dc=X,dc=Y,dc=Z" write by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=X,dc=Y,dc=Z" write by self
write by * read
I know that's not proper but i needed users to be able to change their
password. Thanks for the info about ACLs. the "next to last ACL"
mentioned is for the "database monitor" (see slapd.conf below) and i'm
not sure why "by * read" should be granted that access, perhaps you can
shed some light on why that exists in our config? maybe i don't need
ACLs for that so only rootdn has access?
We have a new LDAP server that I am setting up, so I'd like to focus on
moving the database and getting the new server into production, and we
can iron out the wrinkles in this mess at the same time. My
understanding is that I can use slapcat/slapadd to do the export/import...
I used "slapcat > /tmp/ldif" on current server, then moved ldif and
updated [slapd.conf] (see below) file to the new server, then ran
"slapadd -l /tmp/ldif -l /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d/" but i get an error when trying to start slapd:
"ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif:
No such file or directory" so how am i supposed to get the slapd.d/*
files? If I am to just copy those over from the current server then I'd
like to figure out why I had to modify the ldif file directly...
The current LDAP server is running RHEL 6.8 with kernel
2.6.32-642.11.1.el6.x86_64. The new LDAP server is running CentOS 6.8
with kernel 2.6.32-642.13.1.el6.x86_64. The nss/pam configuration for
one of our clients is this (i hope this is what Michael Wandel meant):
$ authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://foo.X.Y.Z";
LDAP base DN = "dc=X,dc=Y,dc=Z"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://foo.X.Y.Z";
LDAP base DN = "dc=X,dc=Y,dc=Z"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is disabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
$
[slapd.conf]
loglevel 128
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
moduleload ppolicy.la
TLSCertificateFile /etc/pki/tls/certs/foo_X_Y_X_cert.cer
TLSCertificateKeyFile /etc/pki/tls/certs/foo_X_Y_Z.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=X,dc=Y,dc=Z"
checkpoint 1024 15
rootdn "cn=Manager,dc=X,dc=Y,dc=Z"
rootpw {SSHA}<foo>
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=X,dc=Y,dc=Z"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid pres,eq,sub
index cn,sn pres,eq,sub,subany
index gidnumber,memberUid,uidNumber eq
access to attrs=userPassword
by self write
by anonymous auth
by * none
# enable monitoring
database monitor
access to *
by self write
by * read
by * auth