CentOS 5 Server :: Openldap Acl Not Working As Expected?
Jun 22, 2009
CentOS 5.2. Openldap server-2.3.27-8.el5_2.4 I'm trying to get the server to do two things. One is allow authentication--that is, if a client is configured to use openldap for authentication, it should be able to access this server.
In other words, on machine_2, a client, doing getent passwd (as a quick test) will show the users in the openldap database. The more or less out of the box configuration works for this. However, as soon as I start trying to add ACLs, it stops working. For example, I want to restrict access to an address book which is also in the database. So I have
access to base.dn(changing base to subtree makes no difference) "ou=addressbook,dc=example, dc=com"
by users read by anonymous auth Now, even though this is just the address book, after that, an ldap client can no longer get the names of users in ou=People, and using the ldap server for authentication doesn't work.
I don't understand what I'm missing. ACLs are supposed to work first match wins. *IF* I add under that, access to * by * read, it will work, but the address book can then be accessed without a bind dn.
I am not sure what I'm overlooking. If I put in any sort of access control, the only way that clients can continue to use the server for authentication is adding that access to * (or to dc=example,dc=com"), by * read. I tried using access to ou=Group and ou=Peoplle by * read, thinking that would allow the clients to authenticate, but that doesn't work either, The idea is to allow any machine configured as a client to use it for authentication, but also to restrict viewing the address book only to those with a proper bind dn name.
View 4 Replies
ADVERTISEMENT
Nov 23, 2009
I want to build a domain like abc.com in my LAN environment. Kindly tell me step by step procedure of installing OpenLDAP on CentOS 5.3.
View 2 Replies
View Related
Feb 2, 2011
I configured OpenLdap and now I want to configure it using TLS-SSL
But I cannot get it working with the Linux clients. Environment: Centos 5.5
Openldap Server configuration:
View 12 Replies
View Related
Jul 2, 2011
I can't get the client server to authenticate to the openldap server. I can authenticate on the server itself though. I can su to, login and shh into the openldap server and become a ldap user. I just can't become an ldap user on the client.I didn't setup TLS/SSL. I can do that after I have it working. I'm using hashed passwords though. I don't have replication setup. I'm am tying to setup the most basic openldap environment then build from there. I have read the openldap section in the admin guide.
My setup at home.
Openldap server � light.deathnote.net -- 10.0.1.21
client server � vm-centos01.deathnote.net � 10.0.1.7 -- VM on virtualbox
Virtualbox host � L (OS MAC) � 10.0.1.2
router (apple airport extreme) / default gatway � 10.0.1.1
All computer can reach the internet and ping each other. When I installed centos I disabled SELinux.I used these guids to setup my openldap.
[URL]
Below I have included some output from the files I'm using with openldap.
[root@vm-centos01 ~]# tail /var/log/messages
Jul 2 09:25:33 vm-centos01 xfs: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://light.deathnote.net: Can't contact LDAP server
Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://10.0.1.21/: Can't contact LDAP server
[code]....
View 5 Replies
View Related
Aug 17, 2010
I would like to remove openldap from my Centos home-server..
Centos offers me:
Quote:
Removing:
openldap i386 2.3.43-12.el5_5.2 installed 592 k
openldap x86_64 2.3.43-12.el5_5.2 installed 598 k
[Code]...
..obviously I'll not remove openldap by this operation.. but my question is: there is another way to remove a single package with yum without "consequences"?
View 4 Replies
View Related
Apr 30, 2011
Friends is there some way to authenticate Microsoft windows users from openldap running on CentOS. I will be very thankful if you provide me step by step procedure.
View 1 Replies
View Related
Jun 4, 2010
I used setfacl to set permissions as follows:
As you can see all settings lead to permissions 777 but that's not what happens. What happens if I say, touch a file, I get: 666 as this shows:
Same for files that are not obviously scripts such as just a.txt.
My umask is 0022.
Does anyone know why this is? Is it changeable for specific directories?
This is a special world viewed directory required by a piece of software... in other words, no, I am not in a habit of setting file permissions to 777 so please no comments about you shouldn't be using such permissions.
Truthfully, I can probably get away with permissions 666 and will if I can but right now I just want to know why it's happening this way and how to control it.
View 4 Replies
View Related
Mar 24, 2010
I'm trying to test whether some software that I am using will behave as expected when DST change over occurs. I'm specifically testing it for the GB timezone when it enters British Summer Time (BST) and then reverts to GMT. From the information I have, BST starts: Sunday 28 March 01:00 GMT (02:00 BST)and ends: Sunday 31 October 02:00 BST (01:00 GMT )To do this test I wrote a shell script that sets the date, runs the program, checks some logs and then reverts the time.
Entering BST was fairly straight forward as all I had to do was the following: export TZ=GB
date 032800582010This set the date to be 28th March and the time to be 00:58 in the GB (GMT) timezone. As expected, the date then rolled forward to 02:00 BST. However, when I tried to do the same for coming out of BST into GMT, the time did not work out as expected. export TZ=GB
date 103101582010Setting the time as above put the time straight into GMT and not BST even though it was two minutes before the time should have rolled-over.
However if I put the following: export TZ=GB
date 103100582010the date was reported as BST!
How can I setup the time so that I don't have to wait for hour before BST ends?
View 2 Replies
View Related
May 13, 2011
On Slackware64 13.1 the as-installed en_GB locale gave Sunday as the first day of the week. This was not an issue until Xfce's Orage calendar was used when its display of Sunday as the first day of the week was offputting for someone used to Monday. A minor inconvenience but expected to be easy to fix.
At the command line:
Code:
c@CW8:~$ export LANG=en_GB <== same for en_GB.utf8
[code]....
View 2 Replies
View Related
Jun 20, 2010
On the computer on which I have to login, Shoreline is installed.I know I can add rule to /etc/shoreline/rules but I decided to manually enter an iptable rule by typing:
Quote:
/sbin/iptables -A local2fw -s 10.100.98.74 -p tcp -m tcp --dport 22 -j ACCEPT
Then why am I not able to login using 10.100.98.74... I get connection refused error...
View 3 Replies
View Related
May 5, 2010
There is this one server running CentOS5.4 Final which has certain application like Bugzilla. I have setup ssh on it and setup is for password less authentication. Have also setup PasswordAuthentication to no. So with password authentication should succeed. But it is. Though password less authentication is working fine, but I am also able to login using password.
Code:
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
View 4 Replies
View Related
May 31, 2011
So those of you that know me will agree that when it comes to awk I don't usually ask a lot of questions ... however this one has me stumped. I am guessing I have missed something obvious but for the life of me (and I have tested at great length) I cannot find it So the scenario is this: The following awk code should identify all versions of libgpg-error within the attached file (see below) and only show one for each version:
[Code]...
View 12 Replies
View Related
Mar 4, 2010
I want to try out the screenlet called Folder View:[URL]I have downloaded and installed it fine. However, when I double-click on it (or use the Start/Stop button) there is a momentary flash and then nothing interesting. I have checked on the widget layer and on all desktops and I have tried various settings in Options all to no avail
View 2 Replies
View Related
Nov 9, 2010
I have tried to find solution in existing posts but could not specifically find any with my kind of issues and hence a new post on oft repeated subject !! -- and apologies for a long long post here.Here is where I am ..On a AMD 64bit machine - I have ubuntu 10.10 desktop installed. I want this development machine to support virtual mailboxes so that I can use them from multiple apps and create real life deployment situations.I installed postfix + dovecot following the tutorials available here and current state is - I can send mails using telnet sessions and I see that the mail files are getting created in /Maildir form as I have directed in the conf files. I have configured Thunderbird mail client as well.
Issue #1: Mail sending works from Thunderbird but it always responds back with 'No mail on server' message when I try to receive mails. SMTP is configured with STARTTLS and POP3 with None (i.e. plain text password)Issue #2: Also, while going thru conf, logs and during testing - I found a few things which defer in this installation for authentication. I have given the session transcripts here.Issue #3: That being major issue - I also want to configure my virtual users to use TB client to access their mails - I did not find any tutorials or pointers towards that in my search for past few days. If I send mails to a non-Unix virtual user - the mail gets stored into /home/vmail/<domain>/<user>/new directory.Here are the conf files.main.cf for postfix
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
[code]....
View 1 Replies
View Related
Jun 25, 2011
Y want to rename a bunch of files and directories to remove the space on the names, easy enough right?
Code:
for source in $(find ./); do target=$(echo "$source"|sed -e 's/ /_/g'); mv -f "$source" $target; done
Well, I thought that should have work but the problem is that $source comes up broken, when I run it with echo instead of mv I get the echo with broken names.
Code:
In this case "$source"="This is the file I want to rename"
$ echo "$source"
[Code]....
View 3 Replies
View Related
Mar 13, 2011
Not sure if this is the correct area to ask this question as it pertains to Upstart but not necessarily to Ubuntu.
Anyhoo, I have made a small alteration (obviously the cause of error ) but not really sure why it does not work.
rsyslog.conf:
Code:
# rsyslog - system logging daemon
#
# rsyslog is an enhanced multi-threaded replacement for the traditional
# syslog daemon, logging messages from applications
[Code].....
View 3 Replies
View Related
May 24, 2011
I'm trying to get SASL working with OpenLDAP + TLS. I got it working without TLS with these settings:
[code]...
What i'm doing wrong?
View 1 Replies
View Related
Mar 12, 2010
I haven't done a great deal of networking with Linux so bear with me if the solution seems obvious.I've got four machines with two Ethernet cards each; one on-board and one PCI. I'm trying to get it set up so that the PCI card is eth0, then the on-board eth1. This.. isn't going as easily as I would have thought. I expected I could just go to network configuration, switch to the "Hardware" tab... change the on-board card to be device eth1, change the PCI to be device eth0... then go to the "Devices" tab and change the nickname to match the device.
This has decidedly not worked at all. Additionally, on some of the machines that I haven't messed with, the device name for the PCI card isn't ethn, it's something like "Intelnnnnn" (some string of numbers that I don't have in front of me). Something more specific to the card I'm sure, but while I can assign that device a nickname, I can't use it.. I can ping -I Intelnnnn ip.add.re.ss, but I can't ping -I eth3 ip.add.re.ess.
Where am I going wrong here? I've looked at a few tutorials online but they look extremely more complicated (read_device_bus_id? qeth device?) than should be necessary for just what I'm trying to do
View 7 Replies
View Related
Jul 8, 2010
New to CentOS5.5 I'm experiencing some trouble in order to continue my configuration. I've just installed my vmware tools and configured my network card with system-config-network
Edit eth0 (eth0) - vmxnet3 -> with a static IP I rebooted my server and since then I lost my eth0. I still see it in system-config-network, but I can't active it anymore.:
/etc/init.d/network start Bringing up interface eth0: Device eth0 has different MAC address than expected, ignoring. [FAILED]
View 2 Replies
View Related
Dec 1, 2010
I have some files on server with the date several months ago, but invisible for `find -mtime 7` search. When I list them as `ls -l` they look perfectly normal:
-rw-r--r-- 1 root root 347253 Jun 12 16:26 pedia_main.2010-06-12-04-25-02.sql.gz
-rw-r--r-- 1 root root 490144578 Nov 24 16:26 gsmforum_main.2010-11-24-04-25-02.sql.gz
"find -mtime" does not work as expected on files with different timezones?
View 3 Replies
View Related
Feb 27, 2010
I have an Acer Aspire 6930g with an nVidia GeForce 9300m GS which has a broken screen. I have been using an external monitor for some time using Linux Mint, without issue.
I initially set this up with great difficulty using the small parts of the screen that would still display an image at the time. Now, however the screen is totally dead, I have since disconnected the laptop monitor in order to not cause issues.
The issue I am currently having is trying to use live distros.
I'll give you example: I boot ubuntu 9.10 32bit and it gets to the initial boot menu. I choose "Try Ubuntu..." It shows the loading screen. Screen goes blank when going to desktop
I tried Ctrl+Alt+F1 to get to a terminal, but the screen stays blank. The same thing happens with both Knoppix and Backtrack 4 as well. The display goes blank upon switching to the desktop.
View 2 Replies
View Related
Jun 21, 2011
I m trying to write a program that use omapi but when put the include dhcpctl.h and isc/result.h i m but able to compile the source.
In file included from /usr/include/dhcpctl.h:38,
from rece.c:11:
/usr/local/include/omapip/omapip.h:40:22: error: dns/tsec.h: No such file or directory
In file included from /usr/include/dhcpctl.h:38,
[code]....
I tried to install bind-devel-9.3.6 and 9.3.4...and still no file...
View 5 Replies
View Related
Aug 1, 2009
I've just installed my first OpenLdap + TLS + Samba + Webmin box.Everything seems to work but when i try to open the Ldap User and group module from Webmin, it takes about 3 minutes but it works.When i use $ getent passwd or$ getent group.to see if everything works okay, it also takes ages but does not show my ldap users...Here's my spec
$ cat /proc/version
Quote:Linux version 2.6.18-128.2.1.el5 (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)) #1 SMP Tue Jul 14 06:36:37 EDT 2009
View 3 Replies
View Related
Mar 22, 2010
I am facing the following error when im trying to install the openldap and running the ./ configure command.
./configure
Configuring OpenLDAP 2.4.21-Release ...
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
[Code]...
View 2 Replies
View Related
Dec 17, 2010
I have setuped OpenLDAP+Samba PDC. When I create user and group -> Errors.
smbldap-group -a admin
No such object at /usr/sbin/smbldap_tools.pm line 457
smbldap-useradd -am -g admin admin
Could not find base dn, to get next uidNumber at /usr/sbin/smbldap_tools.pm line 1192
View 3 Replies
View Related
Jul 30, 2010
I have a problem to get it to work. The installer seems to read the preseed-file alright, and some of the values defined in the preseed-file are taken into account. The questions regarding locale, keyboard layout and time zone are answered using the preseed-file, but in the user account creation-step the process goes wrong. The Full name-field is obtained from the preseed-file, but the login-name is generated by the installer and not read from the preseed. Also the password-fields are empty and not filled in. Also the script that I've defined with preseed/late_command is never run.
I tried searching the forums but no-one had exactly this kind of problem, so it makes me think that this has to be some trivial error I'm doing. Could someone take a look at these configs and see if there's something wrong with them? How should I continue resolving this?
[Code]....
View 1 Replies
View Related
Jan 25, 2011
I configured my openldap but now I want to implement SSL-TLS
This is my basic slapd.conf configuration
Code:
And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login
path when I am moving certs /etc/openldap/cacerts
Code:
As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC
On client side I use authconfig-tui
My enviroment is Centos 5.5
what is wrong on my config?
View 5 Replies
View Related
Jun 8, 2010
Code:
$ su -c 'yum install wine'
this forum won't let me put all the text in Transaction Check Error: package openldap-2.4.21-6.fc13.x86_64 (which is newer than openldap-2.4.21-4.fc13.i686) is already installed package nss-softokn-freebl-3.12.4-19.fc13.x86_64 (which is newer than nss-softokn-freebl-3.12.4-17.fc13.i686) is already installed
View 4 Replies
View Related
Feb 22, 2009
I'm stepping out with LDAP for the first time. It's up and running. My Question is really closer to DB4, the Berkely database. When I start the ldap service I get this output:
# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=com.
config file testing succeeded
View 3 Replies
View Related
Jan 28, 2009
Openldap 2.4.11 uses cn=config as the main configuration instead of slapd.conf .
How to add a new schema to openldap 2.4.11 that uses cn=config.
View 12 Replies
View Related