I have OpenLDAP and Dovecot installed based on the following documents. DovecotLDAP OpenLDAPServer (using RTC) When Dovecot is set up to log in with out using LDAP connections work fine. However as soon as I change the dovecot.conf to use ldap I get the following error when trying to log in:
[Code]....
I'm using openldap(slapd) to store user account..But how can i ensure that each UserID can be only login on one machine at any one time?
I'm using ubuntu for both client and server..
I have configured a ldap server and trying to login to same ldap server using a ldap user. However, I am not able to login and getting the following in /var/log/secure:
Dec 22 20:06:29 redhat5 sshd[7241]: Invalid user ldapu1 from 192.168.85.1
Dec 22 20:06:31 redhat5 sshd[7242]: input_userauth_request: invalid user ldapu1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): check pass; user unknown
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.85.1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_succeed_if(sshd:auth): error retrieving information about user ldapu1
Dec 22 20:06:39 redhat5 sshd[7241]: Failed password for invalid user ldapu1 from 192.168.85.1 port 4461 ssh2
I can see that if I use the ldapsearch with same filter, I am not able to locate the user "ldapu1". However, if I change the filter to (|(objectClass=posixAccount)(uid=ldapu1))", it shows me the ldap user:
[root@redhat5 ~]# ldapsearch -x -b "ou=Users,dc=homeldap,dc=com" -D "cn=Manager,dc=homeldap,dc=com" -W -H "ldap://127.0.0.1/" "(|(objectClass=posixAccount)(uid=ldapu1))"
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <ou=Users,dc=homeldap,dc=com> with scope subtree
# filter: (|(objectClass=posixAccount)(uid=ldapu1))
# requesting: ALL
# ldapu1, Users, homeldap.com
dn: cn=ldapu1,ou=Users,dc=homeldap,dc=com
objectClass: inetOrgPerson
cn: ldapu1
sn: ldapu1
uid: ldapu1
userPassword:: bGRhcHV1MQ==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Where I have made a mistake?
- Is it necessary to create an account on Linux box and then migrate it to ldap?
- I was just wondering if I can somehow change the default filter from AND to OR at the time of login. I used "pam_filter |objectClass=inetOrgPerson" in ldap.conf.
However, it didn't change the filter.
I'm testing to log in using openldap authentication on jessie by following article from [URL] ..... and when I try to log in from ldap client (another debian 8 VM), it failed with
Code: Select allFeb 3 09:25:33 clt nscd: nss_ldap: could not connect to any LDAP server as cn=admin,dc=test,dc=lab - Can't contact LDAP server
Feb 3 09:25:33 clt nscd: nss_ldap: failed to bind to LDAP server ldap:///192.168.191.120: Can't contact LDAP server
Feb 3 09:25:33 clt nscd: nss_ldap: reconnecting to LDAP server...
Feb 3 09:25:33 clt nscd: nss_ldap: could not connect to any LDAP server as cn=admin,dc=test,dc=lab - Can't contact LDAP server
[Code] ....
test result from client with ldapsearch
Code: Select all# ldapsearch -h 192.168.191.120 -D cn=admin,dc=test,dc=lab -W -x -b 'dc=test,dc=lab' 'userName=*'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=lab> with scope subtree
# filter: userName=*
[Code] .....
Installed postfix and dovecot, Also created a user account on linux like abc but when i send mail form sunil@test.abc.com (domain)
I get below error:
I reset the password of user sunil, but no gain
log error:
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
I'm trying to configure dovecot in RHEL6, but seems system won't accept local user login. I've already disabled pam. I've tried mutt -f imap://xxxx, and Thunderbird to connect as imap and pop3, but both failed, seems dovecot won't accept the password of the login user.the dovecot info log as, Jul 03 20:48:42 imap-login: Info: Disconnected: Too many invalid commands (no auth attempts): rip=192.168.1.3, lip=192.168.1.3, mpid=0, secured
#passdb {
# driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
[code]....
For about a week now I've been seeing mass attempts to relay through postfix and login to dovecot from the same 2 addresses, none are successful due to how postfix/dovecot are configured and I wouldn't be overly worried but my isp have picked up on it and are nagging at me
What ways do people go about just dropping connection attempts from offending addresses/ranges when stuff like that happens? An ideal thing would be something that detects repeated failed attempts from a host or range and subsequently ignore/ban them, perhaps for a specified length of time, something along the lines of denyhosts and fail2ban for ssh would be great Don't know if there's anything out there or just a plain tried and trusted method anyone might use for stuff like this, if not a hint on the most appropriate way to go about it 'manually' would do
Code:
$ su -c 'yum install wine'
this forum won't let me put all the text in Transaction Check Error: package openldap-2.4.21-6.fc13.x86_64 (which is newer than openldap-2.4.21-4.fc13.i686) is already installed package nss-softokn-freebl-3.12.4-19.fc13.x86_64 (which is newer than nss-softokn-freebl-3.12.4-17.fc13.i686) is already installed
We are in the process of integrating openldap into our application and existing AD used is MSAD. We would like to access the users created in openldap in our application(Java code) and then autheticate them against the details in AD(openldap). We are using Spring LDAP connection for fetching openldap connections. We have the following code with MSAD:
Code:
userAttributes.get("distinguishedName").toString()
this works because MSAD user objectclass has an attribute 'distinguishedName' to get the user DN. There is no such provision in openldap or is there anyother way to retrieve the DN in openldap ?
I'm having much problems trying to configure openldap on Ubuntu 10.0.4 LTS
I have tried many tutorials, many configuration but still without results, I made the following script (for not repeating the same work, again & again)
Code:
#!/bin/sh
passwd=xxxxxx
dc1=host
dc2=com
[Code]....
I configured my openldap but now I want to implement SSL-TLS
This is my basic slapd.conf configuration
Code:
And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login
path when I am moving certs /etc/openldap/cacerts
Code:
As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC
On client side I use authconfig-tui
My enviroment is Centos 5.5
what is wrong on my config?
I'm tried to config TLS with Openldap follow this site [URL]. when attempted to sign the cert request by my CA. I have a fault:
root@ldap:/usr/local/openssl/bin# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
[code]....
I want to create a new LDAP database.
Part of the new configuration is
Code:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
[Code].....
I have this group "cn=admins,ou=groups,dc=home,dc=com" And I've configured slapd in the new way so I'm not using slapd.conf (I think). First I thought about just modifying the files at /etc/ldap/cn=config/....... but that didn't work. How do I make that group into an admin-group with all the rights ?
View 3 Replies View RelatedThere are several parts of problems in my question.
1. Install openLDAP and authenticate clients
2. Simple way to authenticate Ubuntu clients (just like Windows simple domain model, but Linux)
Part 1 What I have done: I have been working on openLDAP for the past 4 weeks. There is a lot of information on LDAP and I have read a lot of it There are several guides out there for openLDAP installation on Ubuntu, and I have tried many of them, and reinstalled the server between tests.
[Code]...
Part 2 Simple way to authenticate Ubuntu clients (just like Windows simple domain model, but Linux)
I have tried to find something similar to Windows client login, but haven't found anything that works. I just need to be pointed to somewhere to read about the authentication model in Linux. I can work out my from there. It must be something very simple I am missing, because when I read som echapters in The Ubunutu Bible, I can't find anything on it.
I've just setup OpenLDAP on Ubuntu Server 10.04.2 following this guide:
[URL]
It's mostly working well, but I do have one issue. I thought that after configuring TLS that it would be best to disable access via other means to keep connections to the LDAP server more secure, before doing so I wanted to check that I could actually connect to OpenLDAP on the localhost using the following command:
ldapmodify -Y EXTERNAL -H ldaps:///
But got the following output:
TLS: can't connect: (unknown error code).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
This looks like some simple misconfiguration on my part, but I can't see where it's wrong, nor could I find any answers by googling.
I should point out that I'm able to connect to the LDAP server from a different host on the network using ldaps:/// (via Apache Directory Studio), so I'm quite surprised that I can connect from another system, but not via the loopback.
At this stage this is really a learning exercise for me, I just want to get to grips with LDAP and I find that when starting out the best thing to do is play with the actual configs to get to know my way around, but this has me stumped.
I imagine this is either a very simple config issue or I'm trying to do something that isn't necessary. I'd really like to understand what I'm doing wrong or alternatively why trying to do this is unnecessary/irrelevant.
[Edit] In summary my main goal is to only allow secured access to the LDAP server, not transmit data in plaintext across the network.
I can't seem to get my ldap.log file to rotate on Ubuntu 9.10. I've added to the logrotate.conf file the following..
/var/log/ldap.log {
missingok
monthly
create 0660 root utmp
rotate 1 }
I have also tried putting the path to the file /etc/logrotate.d/rsyslog. Restarted services and still no logrotation for the ldap.log..
I need quick configuration guide to configure openldap 2.4 on Fedora 12 or Ubuntu 9.04.
View 1 Replies View RelatedEvery time I try to setup TLS in openldap using the yast applet. The database blows up and dies. I cannot restart the ldap service unless I create a new database. Basically I get LDAP up and working perfectly. Then I use yast to go and enable TLS and SSL support. I put in the paths of the certs. Then hit okay and that is when it blows up. I cannot restart the service. I follow the directions exactly in the link below.
OpenLDAP Faq-O-Matic: How do I use TLS/SSL?
Where is says "using certificates".
Here is what it says in the /var/log/messages
Code:
Jul 6 16:45:31 leia slapd[23996]: @(#) $OpenLDAP: slapd 2.4.17 (Oct 24 2009 04:51:18) $#012#011abuild@build32:/usr/src/packages/BUILD/openldap-2.4.17/servers/slapd
Jul 6 16:45:31 leia slapd[23996]: config error processing cn=schema,cn=config:
Jul 6 16:45:31 leia slapd[23996]: slapd stopped.
Jul 6 16:45:31 leia slapd[23996]: connections_destroy: nothing to destroy.
Jul 6 16:45:31 leia startproc: startproc: exit status of parent of /usr/lib/openldap/slapd: 1
How can I enable TLS/SSL on openldap in opensuse 11.2 without the database dying?
I was trying to find documentation on how to add an a new object into openldap, however I can not seam to find a good walk through.
Just so everyone knows what I'm trying to do, I need to add a new object called bannerid, this bannerid is a unique id that will help me find student accounts in my openldap directly much quicker.
Openldap 2.4.11 uses cn=config as the main configuration instead of slapd.conf .
How to add a new schema to openldap 2.4.11 that uses cn=config.
I was thinking of merging my openldap and samba bdc servers. Is it ok for a server to authenticate against itself? (ie ldap.conf points to localhost)
View 1 Replies View RelatedI have a RHEL 5.4 server installed in a server farm. The server is administered under a central AD, which means that administrators are registered in the AD.
However, I have to deploy an application on the linux server, that will use it's own OpenLDAP server. This means that this application will be the client to the LDAP server installed on the same RHEL server.
I tried installing OpenLDAP using yum and it resulted in a very fatal issue. Somehow the configuration files used for finding the Linux server from the AD was overwritten and the Linux server was not reachable anymore.
After some investigations, and possibly, rebuild, the server has been handed over to me.
The problem is how should I install OpenLDAP so that the existing connection to AD is not lost.
On the Linux server I see a /etc/openldap directory but only contains ldap.conf and cacerts directory.
I am having some trouble with Cyrus SASL and OpenLDAP. I tried to configure OpenLDAP using SASL for all conection but I cannot map the SASL-DN to OpenLDAP's DN. Below is my configuration file, slapd.conf
[code]...
After I finished the configuration, I try to use ldapsearch tool to verify, but I cannot:
[code]...
I'm trying to set up an OpenLDAP server on a clean install of 10.04 server (AMD64). Following the server guide [URL] I get down to the "Setting up ACL" step:
$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W oldDatabase=hdb oldAccess
This command fails with "ldap_bind: Invalid credentials (49)"
When I replace the dn with what it seems like it should be:
$ ldapsearch -xLLL -b cn=config -D cn=admin,dc=example,dc=com -W oldDatabase=hdb oldAccess
I get "No such object (32)"
I have a feeling this is because 10.04 no longer asks you for the admin username and password during the initial debconf (nor does dpkg-reconfigure).
I can continue through the guide using this form of the commands (which were used earlier in the Guide):
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=hdb olcAccess
But I'm a little concerned that I'm not able to properly use the admin user to make LDAP changes to the configuration. It also seems like the Server Guide ought to use the 'sudo ... -Y EXTERNAL' form of the commands throughout if cn=admin,cn=config isn't going to work.
I have slapd-server running but it seems to refuse connections in a very odd way. Wireshark shows that everytime JavaEE-client tries to connect, only 2 packages are sent. As I understand, in tcp/ip protocol, the first is just "hello, who's there". The last is just a message consisting of ACK and RST. I think RST means "we're done". At this point I don't think any credentials are checked so I don't know what could be wrong
View 1 Replies View RelatedI'm trying to follow the OpenLDAP docs that are part of the Ubuntu 10.04 Server Guide, listed here:
I get about halfway through, to this command:
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif
When it asks me to "Enter LDAP Password:" and nothing I have tried works. I thought it might have been "olcRootPW: secret" set in the backend file in the step before, but that isn't working.
I recently followed a tutorial on how to get OpenLDAP running with Samba on Lucid. It worked pretty well.Here's my very frustrating problem with it. For the first 5 - 10 minutes after rebooting, password handling (possibly PAM?) is hosed, including for users in LDAP authenticating via Samba.In fact, I think the only reason I can SSH into the machine during that window is because I happen to have certificate authentication enabled and my client uses that.When I try to do a sudo command after logging in, though, and have to enter the password, it hangs. I've searched logs and haven't come up with much.I *think* it's related to this bug, but I'm not sure.And here's what's killing me ... it's not easy for me to figure out how to ensure that slapd starts before smbd and rsyslog (I read somewhere else that it needs to start before that for some reason) b/c most of the jobs are upstart jobs, but slapd is not.By default it runs at S19 in rc2.d, and I've tried manually lowering that as far as S05 or S07, but I'm still having trouble.
View 1 Replies View RelatedI work for a college with many departments. I'd like to just deploy one LDAP/krb5 server (plus slave replicas) to authenticate all users in all departmentsIs it possible to do this?The proposed DNs for the departments matches what is done for NIS now.If anyone has any pointers or URLs that describe how to properly do this.
View 1 Replies View Related