Issues logging in ldap root DN - openldap

I almost been stuck a day on the following issue,
I installed LDAP using: apt-get install slapd
and use the following configuration:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
loglevel 0
moduleload back_sbdb.la
database bdb
suffix "dc=test,dc=nl"
rootdn "cn=Directory Manager,dc=test,dc=nl"
rootpw test
directory /var/lib/ldap
index objectClass eq
index userPassword eq,pres
index givenName,mail,mobile,sn,title,cn,description eq,sub,pres
index displayName eq,sub,pres
index postalAddress,facsimileTelephoneNumber pres
access to *
by self write
by * read
and I then try to bind using
ldapsearch -D cn=Directory Manager,dc=test,dc=nl -w test
but I still recieve the error ldap_bind: Invalid Credentials (49)
Anyone has any idea or clues what this could be?
Thanks in forward

Try it using quotes like;
ldapsearch -D "cn=Directory Manager,dc=test,dc=nl" -w test
Space character in Directory Manager may cause the problem.
Edit: Also, are you sure you don't need -h -p parameters?
-h The host name of the directory server
-p The port number of the directory server
Edit2: Just figured out what is wrong. You are using rootpw unencrypted in your slapd config file. You should use an encrypted password created by slappasswd tools output. This may cause problems under special circumstances.
Check this link for details: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.html

A few things you could try:
Turn on more verbose logging (loglevel 255), and see if anything shows up in the log file.
Verify that the server really is reading the configuration file you think by checking the access time on the slapd.conf file (ls -lu slapd.conf)
Try binding using an invalid dn (ldapsearch -D cn=no-such-user -w test) and see if the error message changes (if so, that confirms that the problem is with the password, not the dn).

Try man ldapsearch.
I'm not really sure on debian/ubuntu, but in FreeBSD you need to add a -x to use simple authentication instead of SASL. I think this might be your issue?
Also, you could use -W instead of passing the password plain text on the commmand line.

Related

ldapdelete: invalid option -- 'r'

I have a problem in the execution of the recursive ldapdelete -r command, when I connect to an ldap virtual machine that I have as root and execute the command ldapdelete -r -h ip -p 389 -D "cn=admin,o=ms,c=fr" -w Ap201 -f /tmp/ldapContextes >> $reportFile 2>> $errorFile, it deletes all the entries in the ldap but if I connect with another bousr user and launch the same command I get the following error : ldapdelete: invalid option -- 'r'
I have thought that it is a problem of permissions for the boeusr user but when entering the binaries I have seen that ldapdelete has execution permissions for root, group and other users which means that boeusr has execution permissions but I don't understand why I get the message of mistake. anyone have any idea?
Thank you.
There is no -r option in ldapdelete, you can't recursively delete entries in ldap with this command.
You have to specify each dn you want to remove one by one, and in the correct order (ie. you can't remove an entry which contains children).
Check the solution I provided to the same kind of question here : How to remove all records from LDAP?

How do i use ldapmodify for the first time when i do not know any user or password for authentication?

I am unable to apply changes using ldapmodify for the first time after installing openldap on my rhel7 server.
I have installed openldap from the scratch. Now i want to modify the olcDatabase={2}hdb.ldif to put my own olcSuffix,olcRootDN and olcRootPW.
I have generated the encrypted password with ldappasswd and put that along with other two parameters to .ldif file.
Now when, i try to apply these changes to my ldap setup using following command
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
i get the error as
ldap_sasl_interactive_bind_s: Local error (-2)
further if i wish to use -D to bind with the default user -D "cn=Manager,dc=my-domain,dc=com" it needs a password. i do not know what username password combination i should use to run my first ever ldapmodify on this newly installed openldap.
Your help is much appreciated.
Best regards,
Amit Joshi
You're hitting an OpenLDAP bug (see ITS#8998).
The solution is to either
unset option SASL_NOCANON in ldap.conf or
specify the full path in the LDAPI URI (with URL-quoting of slashes).
The first option might be easier but might affect binding with SASL/GSSAPI (Kerberos).

SNMP TRAPS sending to other file, than /var/log/messages

I have configuration
snmptrapd.conf like below:
disableAuthorization yes
authCommunity log,execute,net public
I wanted to redirect all messages for other file, ex. /var/log/snmp.log, not for /var/log/messages. I tried also reconfigure rsyslog.conf file:
snmp.* /var/log/snmp.log
but I have error like that
sie 17 12:50:47 snmp rsyslogd[20398]: unknown facility name "snmp" [v8.24.0]
My question is, how to redirect all SNMP traps to other file by using rsyslog.conf or snmptrapd.conf
I know, that I can save output manually by using command like below, but I need working deamon as a service, not a single command from bash shell.
snmptrapd -f -Le -A -Lf /var/log/snmptrapd.log
You can use -t option with snmptrapd.
snmptrapd -tLf /your-log-location/yourlogfile.log --disableAutherization=yes
Try this:
# LOGFILE="path to logfile"
# specify the pathname of the logfile; if none or the empty string "" is
# given, use the syslog() mechanism to log the traps
# Default: ""

how to add commands in .ssh/authorized_keys

I read on man sshd one can add post-login processing when a user logs in using a particular key:
environment="FOO=BAR" ssh-rsa AAA... keytag
But when I try to ssh into the system, the target host does not register the line and instead asks for a password. What is the right way of adding this? I would like to do something like
command="echo|mail -s ${USER},${HOSTNAME} a.monitored.email#example.com" ssh-rsa AAA... keytag
I am using Suse SLE 11 SP2.
Thanks
Dinesh
First, according to the documentation command = "command":
That specifies the command is executed Whenever This key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; Otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or specify no-pty Should. A quote May be included in the command by quoting it with a backslash. This option might be useful to restrict Un certain public keys to perform just a specific operation. An example might be a key That Permits remote backups but nothing else. Note That May specify the client TCP and / or X11 forwarding Explicitly UNLESS they 'are prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Note That This option Applies to shell, command or subsystem execution. Also note This command That May be superseded by Either a sshd_config (5) ForceCommand directive or a command embedded in a certificate.
Using this option, it is possible to enforce execution of a given command when this key is used for authentication and no other.This is not what you're looking for.
To run a command after login you can add in the file ~/bashrc something like this:
if [[ -n $SSH_CONNECTION ]] ; then
echo|mail -s ${USER},${HOSTNAME} a.monitored.email#example.com"
fi
Second, you need to verify the permissions of the authorized_keys file and the folder / parent folders in which it is located.
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
For more information see: https://www.complang.tuwien.ac.at/doc/openssh-server/faq.html#3.14

problem while doing gzip over ssh

I am getting below error while running gzip command over ssh
ssh 123#HPUX "gzip"
ksh: gzip: not found
whereas if i am running tar in same way it is working properly.
ssh 123#HPUX "tar"
tar: usage tar [-]{txruc}[eONvVwAfblhm{op}][0-7[lmh]] [tapefile] [blocksize] [[-C directory] file] ...
Can you please suggest why am i getting this error and how can i overcome this problem ?
When i tried following step gzip is working properly
ssh 123#HPUX
gzip
gzip: compressed data not written to a terminal. Use -f to force compression.
For help, type: gzip -h
which means that gzip is working.
Your $path may be set differently for an interactive login session, versus
executing a single command via ssh. Does it work if you specify an absolute path to gzip?
Try logging in interactively, and use the command which gzip to show where the
binary is. Perhaps it's something like /usr/local/gnu/gzip . (You might want to do
echo $path too, and make a note of it for comparison purposes.) Then try using
that path in your batch SSH command, i.e. ssh 123#HPUX "/usr/local/gnu/gzip" to see
what happens. The command ssh 123#HPUX 'echo $path' (note single quotes!) should tell you how your $path is set in that context -- if you compare that to your interactive $path, you'll probably see a difference that explains why gzip isn't found in the first version of your batch command.
Wild guess: it's ksh raising the error the first time. When you do a full ssh login, are you using ksh? Are you running any scripts that modify its path?

Resources