How to grant openldap user only a specific privilege

I would like to create an user apart from Admin user who should have access to update password as well as create user in open-ldap. I tried configuring the user with following ldif file. But it is not working as expected and trowing error Unauthorized user while updating password for another user

dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcAccess olcAccess: {1}to * by dn="cn=usrmanager,dc=example,dc=com" write 

Please do help me with appropriate configuration

Openldap sync not working

I’ve installed two Ubuntu systems with OpenLdap server and made them replicate data as told in this guide. Replication worked and contextCSN had the same output + I still find original provider accounts from consumer. However, problems started once I started adding users to provider. Consumers contextCSN is not updating and I find errors in syslog on both machines.

Provider: Jun 23 15:11:13 ldap01 slapd[711]: findbase failed! 32 Jun 23 15:12:14 ldap01 slapd[711]: findbase failed! 32 Jun 23 15:12:14 ldap01 slapd[711]: connection_read(52): no connection!  Consumer: Jun 23 15:11:13 ldap02 slapd[32562]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jun 23 15:11:13 ldap02 slapd[32562]: do_syncrep2: rid=001 (32) No such object Jun 23 15:11:13 ldap02 slapd[32562]: do_syncrepl: rid=001 rc -2 retrying Jun 23 15:12:14 ldap02 slapd[32562]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jun 23 15:12:14 ldap02 slapd[32562]: do_syncrep2: rid=001 (32) No such object Jun 23 15:12:14 ldap02 slapd[32562]: do_syncrepl: rid=001 rc -2 retrying Jun 23 15:13:14 ldap02 slapd[32562]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jun 23 15:13:14 ldap02 slapd[32562]: do_syncrep2: rid=001 (32) No such object Jun 23 15:13:14 ldap02 slapd[32562]: do_syncrepl: rid=001 rc -2 retrying Jun 23 15:14:14 ldap02 slapd[32562]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jun 23 15:14:14 ldap02 slapd[32562]: do_syncrep2: rid=001 (32) No such object Jun 23 15:14:14 ldap02 slapd[32562]: do_syncrepl: rid=001 rc -2 retrying Jun 23 15:15:14 ldap02 slapd[32562]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jun 23 15:15:14 ldap02 slapd[32562]: do_syncrep2: rid=001 (32) No such object Jun 23 15:15:14 ldap02 slapd[32562]: do_syncrepl: rid=001 rc -2 retrying 

OpenLDAP CentOS apply LDIF takes ages

When I apply LDIF scripts through ldap_modify it takes ages on a running multi-master setup before they are applied. I don’t see any lead in the logfiles what could cause this issue. I think it has to do with DNS name resolution because I know some of the nodes can’t reach one-another (on purpose).

Any ideas if I am on the right track? I have all nodes hardcoded in /etc/hosts so it should resolve fast but it doesn’t.

Cheers,

Victor

Openldap passwords hashing with olcPasswordHash

I am tying to make openldap to store all userPassword attributes hashed with {SSHA} alogorithm. I managed to configure frontend db with olcPasswordHash :

dn: olcDatabase={-1}frontend objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend structuralObjectClass: olcDatabaseConfig creatorsName: cn=config createTimestamp: 20181218082812Z olcPasswordHash: {SSHA}     <------------configured with ldapmodify modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 

But even after slapd service restart new password modifications/creations are still in cleartext and nothing wrong in the ldap.log

Any ideas?

How to tell an OpenLDAP server to index a new attribute when there’s no slapd.conf file present?

I’ve been given the task to enable OpenLDAP client users to use “sudo”.

In order to do that, I’ve expanded LDAP schema and added sudo functions such as sudoHost, sudoUser, etc… as shown in many guides over the internet.

Now I’d like to tell the openldap server to index the new attribute “sudoUser” but the configuration at hand is such that there’s no slapd.conf file and instead there’s a “cn=config” directory which holds the relevant db files including the one I intend to modify.

This file is generated when using ldapmodify command and cannot be manually modified.

The user which i’m using to log into the openldap phpmyadmin ui is called: cn=admin,dc=company,dc=com.

When I added the sudo schema to OpenLDAP, I’ve used the following command:

ldapadd -x -D "cn=admin,dc=company,dc=com" -W -H ldap:// -f sudo.ldif 

And supplied this user’s password.

Now, when I try to add that index to the OpenLDAP database, I need to bind to “cn=config” instead of that admin user but I don’t know this password and I get an error saying “Invalid credentials” when I run the following command:

ldapmodify -x -D "cn=config" -H ldap:///  -W 

I’ve also tried running:

ldapmodify -x -D "cn=admin,dc=company,dc=com" -H ldapi:/// -W 

and then pasting:

dn: olcDatabase={1}mdb changetype: modify add: olcDbIndex olcDbIndex: sudoUser eq 

also tried the above configuration with dn: cn=config,olcDatabase={1}mdb.

But then I get the following error:

modifying entry "olcDatabase={1}mdb" ldap_modify: Server is unwilling to perform (53)     additional info: no global superior knowledge 

What am I doing wrong and how can I add this index to the db file?

OpenLDAP – How can I disable authentication for a specific group?

I’m using OpenLDAP in a Redhat environment to provide authentication.

I have two core groups of users; admins and users. My structure is: cn=admins/users,ou=posixgroups,dc=example,dc=com

During certain situations I need to block users, but not admins, from being able to login, essentially disabling the account of anyone in that group.

What’s the best way to go about this?

OpenLDAP: Non-anonymous access for PAM/NSS

I’ve install LDAP with PAM/NSS. So I’ve installed libnss-ldap libpam-ldap nscd on my Debian 9

apt-get install libnss-ldap libpam-ldap nscd

I configured it and all was working rigth. I decided to disable anonymous access. I used this ldif:

dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon 

Now i can’t access to the users in the LDAP. Logs:

su iron cat /var/log/auth.log 
May  7 06:39:52 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication May  7 06:39:52 DebianMM nscd: nss_ldap: reconnecting to LDAP server... May  7 06:39:52 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication May  7 06:39:52 DebianMM nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... May  7 06:39:53 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication May  7 06:39:53 DebianMM nscd: nss_ldap: could not search LDAP server - Server is unavailable May  7 06:39:53 DebianMM su[702]: No passwd entry for user 'iron' May  7 06:39:53 DebianMM su[702]: FAILED su for iron by root May  7 06:39:53 DebianMM su[702]: - /dev/pts/0 root:iron 

Thank you

why does anonymous user could access userPassword attribute of OpenLDAP?

Here is my ACL, openldap is v2.4.4.

acl.ldif

dn: olcDatabase={0}config,cn=config changetype: modify add: olcAccess olcAccess: to attrs=userPassword by dn="cn=Manager,dc=ad,dc=pthl,dc=hk" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=Manager,dc=ad,dc=pthl,dc=hk" write by * read  

and then I run

 ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif 

and I run

 ldapsearch -x -b ou=people,dc=ad,dc=pthl,dc=hk "(&(objectClass=posixAccount)(uid=someone))" -h 172.16.234.11 

which returns

# remove some lines # .....  userPassword:: e1NTSEE1MTJ9MUpGdjcyd0w4aWJZRHd2eHpacVYyb1c4Q1p0Z0JrdDNpdWJDcU9  pVjhmNVQ2QkgzWVNLQnVmNU03bnVwNFB2Q2NiaHR3UGcxOW51VitLMitaUk9WY2JLT0NOMDROWGlG  

OpenLDAP with LDAPS and N-Way Multi-master replication

We have the following setup:

  • Two OpenLDAP servers – openldap1, openldap2
  • They are to be set up as N-Way multi-master
  • Certificates are all set up correctly with alternate names etc and trust each other

I want slapd to bind to all interfaces on the server, so was hoping to run the service as

/usr/sbin/slapd -u ldap -h ldaps://  

However, this gives

5cabf191 <<< dnNormalize: <cn=subschema> 5cabf191 read_config: no serverID / URL match found. Check slapd -h arguments. 5cabf191 slapd destroy: freeing system resources. 5cabf191 syncinfo_free: rid=002 5cabf191 syncinfo_free: rid=002 5cabf191 slapd stopped. 5cabf191 connections_destroy: nothing to destroy. 

I think i understand this to be because of our replication setup which looks like the following ServerIDs:

dn: cn=config objectClass: olcGlobal cn: config ..snipped.. olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem olcServerID: 1 ldaps://openldap1 olcServerID: 2 ldaps://openldap2 entryCSN: 20190409004218.061111Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20190409004218Z contextCSN: 20190409004339.981340Z#000000#000#000000 

I think my error is because slapd -h argument cannot match to a serverID in the list?

If this is the case, how do I work around it?

If i manually run the following it, works, but this doesn’t help me bind to all interfaces.

/usr/sbin/slapd -u ldap -h ldaps://openldap1 

I have an IP that floats between both servers to give high availability if one were to go down, so need slapd to listen on all interfaces.

Samba with OpenLDAP boot order

I have a debian stretch server with a generally working samba + ldap configuration. However, I cannot get the startup order to work, having the slapd server starting before the smbd. Currently after a reboot the smbd startup fails since it can’t reach the ldap server. journalctl outputs the following:

... Apr 04 08:21:27 servername systemd[1]: Starting Samba SMB Daemon... ... Apr 04 08:21:43 servername systemd[1]: smbd.service: Main process exited, code=exited, status=1/FAILURE Apr 04 08:21:43 servername systemd[1]: Failed to start Samba SMB Daemon. Apr 04 08:21:43 servername systemd[1]: smbd.service: Unit entered failed state. Apr 04 08:21:43 servername systemd[1]: smbd.service: Failed with result 'exit-code'. ... Apr 04 08:21:44 servername slapd[623]: @(#) $  OpenLDAP: slapd  (May 23 2018 04:25:19) $   ... Apr 04 08:21:46 servername slapd[907]: slapd starting Apr 04 08:21:46 servername slapd[592]: Starting OpenLDAP: slapd. ... 

Afterwards I can start the smbd service without issues.

I have modified /lib/systemd/system/smbd.service to include slapd.service, both in the After, and Requires entries as well as any combination out of frustration but nothing appears to have made a change. The rest of the file is not changed:

[Unit] Description=Samba SMB Daemon Documentation=man:smbd(8) man:samba(7) man:smb.conf(5) After=network.target nmbd.service winbind.service slapd.service Requires=slapd.service  [Service] Type=notify NotifyAccess=all PIDFile=/var/run/samba/smbd.pid LimitNOFILE=16384 EnvironmentFile=-/etc/default/samba ExecStart=/usr/sbin/smbd $  SMBDOPTIONS ExecReload=/bin/kill -HUP $  MAINPID LimitCORE=infinity  [Install] WantedBy=multi-user.target 

Which I reloaded with systemctl daemon-reload. The output of systemctl show smbd contains:

... After=sysinit.target network.target nmbd.service systemd-journald.socket winbind.service system.slice basic.target slapd.service ... 

I have not much experience with systemd but was not able to track down what I’m missing here, is there another location where I have to specify this?