I am trying to setup ldap configuration and ldpa authentication: so by surfing on internet i came across this video Setting up OpenLDAP Server : LDAP configuration and LDAP authentication
following all the steps same as in video, i am having a error while adding the user i think!
did this on PuTTY
Error which i am getting
after running same code 2nd time it say:
adding new entry "ou=People,dc=vlabs,dc=local"
ldap_add: Already exists (68)
this is my .conf file
.conf file
and this my add_content.ldif
dn: ou=People,dc=vlabs,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=vlabs,dc=local
objectClass: organizationalUnit
ou: Groups
dn: cn=Students,ou=Groups,dc=vlabs,dc=local
objectClass: posixGroup
cn: Students
gidNumber: 5000
dn: cn=University,ou=Groups,dc=vlabs,dc=local
objectClass: posixGroup
cn: University
gidNumber: 6000
dn: uid:fct,ou=People,dc=vlabs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: fct
sn: falcon
givenName: fct
cn: fct falcon
displayName: fct falcon
uidNumber: 10000
gidNumber: 5000
userPassword: fctfalcon
gecos: fct falcon
loginShell: /bin/bash
homeDirectory: /home/fct
dn: uid:user,ou=People,dc=vlabs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user
sn: test
givenName: user
cn: user test
displayName: user test
uidNumber: 11000
gidNumber: 6000
userPassword: usertest
gecos: user test
loginShell: /bin/bash
homeDirectory: /home/user
dn: uid:abc,ou=People,dc=vlabs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: abc
sn: def
givenName: abc
cn: User def
displayName: abc def
uidNumber: 12000
gidNumber: 5000
userPassword: abc
gecos: abc def
loginShell: /bin/bash
homeDirectory: /home/abc
tried to add one more user which is uid:abc to get different result bu same error
while running this code there is no user there, uid i think uid is not been able to store in database.
another code
no idea where its going wrong, if anyone know solution PLEASE EXPLAIN in DETAIL.
Well, the ldap_add: Already exists (68) is due to the ou named ou=People,dc=vlabs,dc=local already existing. This is more of a warning than an error.
For:
dn: uid:abc,ou=People,dc=vlabs,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: abc
You are setting the uid to abc on the last line. Get rid of the uid on the first line:
dn: abc,ou=People,dc=vlabs,dc=local
or:
dn: uid=abc,ou=People,dc=vlabs,dc=local
and then don't do the uid assignment.
Related
when i am installing LDAP after installation i need to create users with some attribute
i am passing this but giving me a error of object class
dn: uid=Mihir,ou=people,dc=domain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Mihir
sn: mj
userPassword: {SSHA}ti90VYQst24GhEyduqSaa0go0td/9hGO
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/username
when i am running give me this error:-
adding new entry "uid=Mihir,ou=people,dc=nodomain"
ldap_add: Object class violation (65)
additional info: object class 'inetOrgPerson' requires attribute 'sn'
I think, LDAP "ab ovo" can not support multiple inheritance.
If you export your items in an ldif file, you can see, the listed objectClasses are part of the same inheritance chain. e.g.
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
shadowAccout looks like that
( 1.3.6.1.1.1.2.1
NAME 'shadowAccount'
DESC 'Standard LDAP objectclass'
SUP top
AUXILIARY
MUST uid
MAY ( userPassword $
shadowLastChange $
shadowMin $
shadowMax $
shadowWarning $
shadowInactive $
shadowExpire $
shadowFlag $
description )
X-ORIGIN 'RFC 2307' )
AUXILIARY could work.
Have you tested with a simple inetOrgPerson without auxiliary objectclasses (as a first step)?
Have you tried add user from ldif per ldapadd? (first delete if exists)
ldif content:
version: 1
dn: uid=Mihir,ou=people,dc=domain,dc=com
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Mihir
gidNumber: 1000
homeDirectory: /home/username
sn: mi
uid: Mihir
uidNumber: 1000
userPassword: plain text...(!)
I'm trying to modify this Linux directory
drwxrwx--- 2 root testGrp 4096 dec 17 16:33 test2
I'm writing groups "user" which outputs this:
user : user adm cdrom sudo dip plugdev lpadmin sambashare developer testGrp
I have group permissions rwx for users in the group testGrp, somehow I cannot read from the directory or create files.
What am I doing wrong?
I've installed LDAP on a raspberryPI running Raspian, which is a Debian fork I think.
I have a DB and entries and can do an LDAP search successfully from the server if I use -h localhost or -h 127.0.0.1. But if I use the hostname or IP I get an error message:
root#rpi1:~# ldapsearch -d 1 -x -h 10.10.0.11 -b "ou=Groups,dc=pi,dc=home"
ldap_create
ldap_url_parse_ext(ldap://10.10.0.11)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.0.11:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.10.0.11:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The weird thing for me is that the service is running an listening on the port:
root#rpi1:~# nmap 10.10.0.11
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-30 22:16 UTC
Nmap scan report for rpi1.pi.home (10.10.0.11)
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds
root#rpi1:~#
root#rpi1:~#
root#rpi1:~#
root#rpi1:~#
root#rpi1:~# nmap localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-30 22:17 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 26.82 seconds
You can see that scanning localhost shows that the service is listening on 389, but not if I use the server's IP or hostname.
So I have no way of getting a client on another server to connect, because it only seems to be listening on localhost..... This is beyond my limited understanding I'm afraid.
As far as I can see I am resolving the name ok:
root#rpi1:~# host rpi1
rpi1 has address 10.10.0.11
root#rpi1:~# host rpi1.pi.home
rpi1.pi.home has address 10.10.0.11
root#rpi1:~# host ldap.pi.home
ldap.pi.home has address 10.10.0.11
Proof that the DB is working:
root#rpi1:~# ldapsearch -x -h 127.0.0.1 -b "cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home"
# extended LDIF
#
# LDAPv3
# base <cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Bradley Atkins, musedev, Groups, pi.home
dn: cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home
cn: Bradley Atkins
givenName: Bradley
gidNumber: 501
homeDirectory: /home/users/batkins
sn: Atkins
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
uid: batkins
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Can anyone suggest a way forward?
thanks
As the nmap output shows clearly, it's listening at 127.0.0.1, not 0.0.0.0.
I am trying to setup openLDAP for users to groups mapping for hadoop 2.7.1, guess something wrong in the way i have defined the groups or applying the filters. Its able to connect to the server but throws invalid DN and returns with no groups.
My LDIF export ->
# Entry 1: ou=groups,dc=ubu,dc=com
dn: ou=groups,dc=ubu,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups
# Entry 2: cn=admin,ou=groups,dc=ubu,dc=com
dn: cn=admin,ou=groups,dc=ubu,dc=com
cn: admin
gidnumber: 500
memberuid: meadmin
objectclass: posixGroup
objectclass: top
# Entry 3: cn=operator,ou=groups,dc=ubu,dc=com
dn: cn=operator,ou=groups,dc=ubu,dc=com
cn: operator
gidnumber: 501
memberuid: meoperator
objectclass: posixGroup
objectclass: top
# Entry 4: cn=user,ou=groups,dc=ubu,dc=com
dn: cn=user,ou=groups,dc=ubu,dc=com
cn: user
gidnumber: 502
memberuid: meuser
memberuid: meuser2
objectclass: posixGroup
objectclass: top
# Entry 5: ou=users,dc=ubu,dc=com
dn: ou=users,dc=ubu,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 6: cn=hadmin1,ou=users,dc=ubu,dc=com
dn: cn=hadmin1,ou=users,dc=ubu,dc=com
cn: hadmin1
gidnumber: 500
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: meadmin
uid: meadmin
uidnumber: 1000
# Entry 7: cn=hoperator1,ou=users,dc=ubu,dc=com
dn: cn=hoperator1,ou=users,dc=ubu,dc=com
cn: hoperator1
gidnumber: 501
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: meoperator
uid: meoperator
uidnumber: 1002
# Entry 8: cn=huser1,ou=users,dc=ubu,dc=com
dn: cn=huser1,ou=users,dc=ubu,dc=com
cn: huser1
gidnumber: 502
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: meuser
uid: meuser
uidnumber: 1001
# Entry 9: cn=tester1,ou=users,dc=ubu,dc=com
dn: cn=tester1,ou=users,dc=ubu,dc=com
cn: tester1
gidnumber: 502
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: meuser2
uid: meuser2
uidnumber: 1003
Core-site ldap mapping ->
<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&(objectClass=inetOrgPerson)(uid={0}))</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value>(objectClass=groupOfNames)</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>member</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value>cn</value>
</property>
What am i missing?
Try the following alternatives for filter.group and attr.member. You're using the wrong objectClass for the group and the wrong attribute for members.
<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value>(objectClass=posixGroup)</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>memberuid</value>
</property>
I'm encountering an odd behavior with Linux permissions and group membership that's got me scratching my head. Here's the situation:
I have two users: alice and bob
alice#KAL:~$ id alice
uid=3000(alice) gid=3000(alice) groups=3000(alice)
alice#KAL:~$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
In alice's home directory, there is a subdirectory that I want to give write permission to bob.
(as alice)
alice#KAL:~$ mkdir shared
alice#KAL:~$ chmod g+w shared
alice#KAL:~$ ls -l
total 4
drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared
I add group alice (gid=3000) as one of bob's secondary groups
(as root)
root#KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
root#KAL:~# usermod -G 3000 bob
root#KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob),3000(alice)
I open a new terminal, and su as bob, and test my permissions in alice's home directory.
(initially as kp, su'ing as bob)
kp#KAL:~$ sudo su bob
bob#KAL:/home/kp$ cd /home/alice
bob#KAL:/home/alice$ ls -l
total 4
drwxrwxr-x 2 alice alice 4096 2012-05-15 23:56 shared
bob#KAL:/home/alice$ touch test
touch: cannot touch `test': Permission denied <-- fails as expected
bob#KAL:/home/alice$ cd shared
bob#KAL:/home/alice/shared$ touch test <-- succeeds as expected
bob#KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test
In a separate terminal, and as root, I revoke bob's membership in group alice.
(root)
root#KAL:~# usermod -G 3001 bob
root#KAL:~# id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
Now, going back to the terminal where I'm su'ed as bob, it's clear that the membership revocation is recognized but not respected.
(as bob)
bob#KAL:/home/alice/shared$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob) <-- group 3000 no longer secondary group
bob#KAL:/home/alice/shared$ touch test2 <-- should fail
bob#KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:02 test
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
bob#KAL:/home/alice/shared$ rm test <-- this should also fail
bob#KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
If I now exit, and su as bob again, the change is group membership is now respected.
(as bob)
bob#KAL:/home/alice/shared$ exit
exit
kp#KAL:~$ sudo su bob
bob#KAL:/home/kp$ cd /home/alice/shared
bob#KAL:/home/alice/shared$ ls -l
total 0
-rw-r--r-- 1 bob bob 0 2012-05-16 00:20 test2
bob#KAL:/home/alice/shared$ touch test3
touch: cannot touch `test3': Permission denied <-- now fails as expected
bob#KAL:/home/alice/shared$ id bob
uid=3001(bob) gid=3001(bob) groups=3001(bob)
bob#KAL:/home/alice/shared$
Is this some artifact of using su? Are group memberships only determined at start of the shell?
(This is on a machine running Ubuntu Maverick 10.10 x86_64 2.6.35-32-generic and running bash shell.)
Group memberships persist during sessions as they are applied to a process, i.e., your current shell.