# ls -lR
cn=config
cn=config.ldif
./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif
/cn=config/cn=schema:
admins@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r----- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw------- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw------- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif
-rw------- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif
-rw------- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw------- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi
./cn=config/olcDatabase={0}config <=== i probably messed this up while trying
multimaster replication, but didnt knw the way how to delete these to left it
there thinking it will not anyway harm my dynlist config. pls correct me if
i'm wrong.
sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif
olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif
olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif
olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif
olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif
olcOverlay={4}syncprov.ldif
admins@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
olcOverlay={0}dynlist.ldif
admins@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
creatorsName: cn=config
createTimestamp: 20100401073034Z
olcServerID: 1 ldap://x6.testlab.com <http://x6.testlab.com>
olcServerID: 2 ldap://x6slave.testlab.com <http://x6slave.testlab.com>
entryCSN: 20100415071243.393226Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100415071243Z
contextCSN: 20100415110741.696825Z#000000#000#000000
# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}
admins@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}dynlist.la <http://dynlist.la>
olcModuleLoad: {2}syncprov
structuralObjectClass: olcModuleList
entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
creatorsName: cn=localroot,cn=config
createTimestamp: 20100401073455Z
entryCSN: 20100414110801.212307Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100414110801Z
admins@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
dn: olcOverlay={0}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member
structuralObjectClass: olcDynamicList
entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
creatorsName: cn=admin,cn=config
createTimestamp: 20100406103123Z
entryCSN: 20100406103123.135808Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100406103123Z
My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?
Thanks
Shamika
On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi <shamika.joshi@gmail.com
<mailto:shamika.joshi@gmail.com>> wrote:
Thanks for the reply & details Adam
I shall try matching my config to this & get back to you.
thanks a ton
Shamika
On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough <adam@gradientzero.com
<mailto:adam@gradientzero.com>> wrote:
My guess is that your config on the server is not right. So it looks
like you are using the slap.d which is what i am using as well. (I
need to upload some updated rpms I think to gradientzero as well).
I used this site to help me get my configuration working
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
So my directory structural looks like:
NOTE: While you can edit these files through the filesystem I higly
recommend that you edit the files through ldap commands. I use Apache
Directory Studio as my GUI type front end and use ldapvi when I just
one to make changes to values already in the ldap server and then to
make major changes I use ldapmodify to make them.
PWD=/etc/openldap/slapd.d
# ls -lR
.:
total 8
drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
-rw------- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif
./cn=config:
total 100
-rw------- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif
drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema
-rw------- 1 ldap ldap 61687 Sep 1 2009 cn=schema.ldif
drwxr-x--- 2 ldap ldap 4096 Sep 2 2009 olcDatabase={0}config
-rw------- 1 ldap ldap 2067 Nov 12 2009 olcDatabase={0}config.ldif
drwxr-x--- 2 ldap ldap 4096 Mar 4 11:36 olcDatabase={1}bdb
-rw------- 1 ldap ldap 4093 May 26 16:48 olcDatabase={1}bdb.ldif
-rw------- 1 ldap ldap 2041 May 21 13:31 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 522 Sep 1 2009 olcDatabase={2}monitor.ldif
/cn=config/cn=schema:
...<SCHEMAS in this directory deleted to make this shorter>.
./cn=config/olcDatabase={0}config:
total 4
-rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif
./cn=config/olcDatabase={1}bdb:
total 24
-rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif
-rw------- 1 ldap ldap 474 Sep 2 2009 olcOverlay={1}ppolicy.ldif
-rw------- 1 ldap ldap 397 Sep 3 2009 olcOverlay={2}memberof.ldif
-rw------- 1 ldap ldap 494 Sep 2 2009 olcOverlay={3}refint.ldif
-rw------- 1 ldap ldap 425 Sep 9 2009 olcOverlay={4}dynlist.ldif
-rw------- 1 ldap ldap 530 Mar 4 11:36 olcOverlay={5}unique.ldif
Now for some listing of my ldifs that you thin you are needing to see.
# cat cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigDir: /etc/openldap/slapd.d
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
olcTLSVerifyClient: never
structuralObjectClass: olcGlobal
olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert
entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6
creatorsName: cn=config
createTimestamp: 20090901234827Z
olcTLSCRLCheck: none
olcTLSCertificateFile: /etc/openldap/cacerts/server.cert
olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem
olcServerID: 2 ldaps://2
olcServerID: 1 ldaps://1
olcServerID: 3 ldaps://3
olcPidFile: /var/run/openldap/slapd.pid
olcToolThreads: 1
olcThreads: 16
# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap
olcModuleLoad: {0}dynlist.la <http://dynlist.la>
olcModuleLoad: {1}pcache.la <http://pcache.la>
olcModuleLoad: {2}ppolicy.la <http://ppolicy.la>
olcModuleLoad: {3}refint.la <http://refint.la>
olcModuleLoad: {4}retcode.la <http://retcode.la>
olcModuleLoad: {5}syncprov.la <http://syncprov.la>
olcModuleLoad: {6}unique.la <http://unique.la>
olcModuleLoad: {7}memberof.la <http://memberof.la>
structuralObjectClass: olcModuleList
# cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif
dn: olcOverlay={4}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {4}dynlist
structuralObjectClass: olcDynamicList
I think these should help you find where you have gone wrong with the
configuration of the slapd configuration.
So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ
cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
cn: sysadmin
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People,dc=domain,dc=ZZZ
labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin)
The nobody user is a fake user that is in all my groups the user
cannot login the ladelURI says that if a use has host=sysadmin they
should be in this group.
/etc/ldap.conf:
pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
pam_member_attribute member
Also note that I hacked my schema to allow the host attribute in the
PosixAccount users.
On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi <shamika.joshi@gmail.com
<mailto:shamika.joshi@gmail.com>> wrote:
Hi
I've followed Adam's post below on 'using pam_groupdn to use
dynlist' to my query posted couple of months back and after
revisiting this configuration facing issue with doing ssh to
client machine with dynamic member of the group. It works
correctly for the static members of the same group.Could you
figure out if I'm missing something here??
Currently using Ubuntu 9.10 which uses slapd.d configuration
directory.
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
*olcModuleLoad: {1}dynlist.la <http://dynlist.la>*
olcModuleLoad: {2}syncprov
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=testlab,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=testla
b,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=testlab,dc=com
olcRootPW: 1234
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
*dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member*
*ldap.conf* on client machine contains
# Group to enforce membership of
*pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com*
# Group member attribute
*pam_member_attribute member**
*
I have added following group
*dn: cn=u910desk,ou=Machines,dc=testlab,dc=com*
cn: u910desk
ipHostNumber: 172.17.5.232
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
objectClass: ipHost*
labeledURI:
ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)
<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29>*
member: cn=placeholder,dc=testlab,dc=com
member: uid=henry,ou=Users,dc=testlab,dc=com
Also a user with host=cms3 entry, which should become dynamic
member 'u910desk' after resolving labledURI above
*dn: uid=jack,ou=Users,dc=testlab,dc=com*
cn: jack
sn: jack
givenName: jack
uid: jack
uidNumber: 1002
gidNumber: 513
homeDirectory: /home/jack
loginShell: /bin/bash
gecos: System User
host: cms3
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: hostobj
shadowMax: 45
However when I run search for member of group 'u910desk' it
returns following : member list does not contain entry of user
'jack' here
$ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com'
member
dn: cn=u910desk,ou=Machines,dc=testlab,dc=com
member: cn=placeholder,dc=testlab,dc=com
member: uid=henry,ou=Users,dc=testlab,dc=com
For same reason(not sure tho) I think I'm not able to ssh to this
client using 'jack', however ssh using 'henry' works it being a
static member of 'u910desk'.
admins@u910desk:~$ ssh jack@localhost
jack@localhost's password:
You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com
to login.
Connection closed by ::1
admins@u910desk:~$
admins@u910desk:~$
admins@u910desk:~$
admins@u910desk:~$ ssh henry@localhost
henry@localhost's password:
Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10
17:01:44 UTC 2009 x86_64
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
164 packages can be updated.
90 updates are security updates.
Last login: Wed Jun 2 17:10:19 2010 from localhost
henry@u910desk:~$
Any help in this matter will be highly appreciated.
Thanks in advance
Shamika
On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <adam@gradientzero.com
<mailto:adam@gradientzero.com>> wrote:
I am guessing you are either using RHEL5, Centos5 or some
other RHEL5 based distro. I replaced the openldap that was on
my centos5 machines with an newer version at 2.4.16+patches.
I have uploaded the rpms and srpms of what I used which you
can do a drop in replacement of the RHEL5 based openldap rpms.
http://www.gradientzero.com/openldap/
I do not remember for sure but I think I had to force one or 2
of the packages it get it to install but once everyhting is
installed then it ran fine for me. I have 3 ldap servers
using this version setup in a multi-master setup.
Since I am doing a multimastet setup, I do not use slapd.conf
but rather the slapd.d configuration directory though the
dynlist overlay should work with slapd.conf as well.
- Adam
On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough
<adam@gradientzero.com <mailto:adam@gradientzero.com>> wrote:
There are other ways to populate the pam_groupdn that
you have associated with each machine but those all
correspond to some attribute in the user's profile.
I have pam_groupdn setup like this
/etc/ldap.conf:
pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
pam_member_attribute member
cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
cn: <GROUP_NAME>
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People, dc=domain,dc=com
labeledURI:
ldap:///ou=People,dc=domain,dc=com??one?(host=<type of
system>)
labeledURI:
ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX)
So as you can see you can have as many labeledURI
attributes as you want or need. I tend to use the
host name function of what the host does.
This is how my account profile would look:
uid=<MYUSERID>,ou=People,dc=domain,dc=com
host: "cluster"
host: sysadmin
So "cluster" is a compute cluster that we have and
thus for all those machines the pam_groupdn
cn="cluster",ou=Systems,dc=domain,dc=com, and for
machines where only the sysadmins login to then
pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=com.
As long as you can for a labeledURI:
ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>)
type search you can use it to auto populate the group.
Summary:
* Do to not think of the host attribute as host =
hostname but as host = type of machine and that you
can have more then one labeledURI per group to help
populate the group.
* Use good gidNumbers for groups to help auto populate
groupOfName style groups.
- Adam
On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi
<shamika.joshi@gmail.com
<mailto:shamika.joshi@gmail.com>> wrote:
Hi Adam,
I'm able to get host auth working by using host
attribute.But the drawback of that is everytime
there a new machine, I have to add that host to
all the users I want to grant access to. If I
decide to do it based on group membership, I can
use pam_groupdn but then it does not allow
multiple group entries there, plus it has to be
managed on client side,which is even more
undesirable by any administrator.
I went through this article but I'm not sure if it
will work if I have some members already
associated with some groups. Like ldap1 & ldap2
members of qagroup & ldap3 & ldap4 members of
sysadmin, would this method allow me to limit
access based on their group membership?? if
yes...could you briefly explain with an example?
Thank for your time in advance
Shamika
On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough
<adam@gradientzero.com
<mailto:adam@gradientzero.com>> wrote:
Here is is the write up that I read to figure
out how to do setup to auto-restrict users to
certain hosts.
http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam