Greg's Tech blog

• Blog Actions
• RSS

I upgraded to openldap 2.4.6 recently and converted from the slapd.conf file to cn=confg and slapd.d directory. The bottom line is the directory config is now controlled through the directory service rather than the config file and config changes are dynamic, happening immediately rather than requiring a directory restart.

(I guess in this sense,it caught up with Active Directory although that comment would be argued fiercely on the openldap list.)

The switch to a /slapd.d-based config is straight forward. You can feed the slapd.conf file through a conversion process by using one of the slap utilities,

The command:

slaptest -f /etc/openldap/slapd.cong -F /etc/openldap/slapd.d
will create the cn=config structure and create the various ldif files that control the frontend, config and backend databases.

I've been away for awhile working on a significant project at work. We combined 5 offices and three server rooms into a single building and state-of-the-art data center. It was hugely successful. But this blog and this server have suffered from inattention for the past 6-9 months. The only thing I pulled off during that time was an upgrade to Slackware 12 within hours of release. I really couldn't help myself (I run Vista, too). But it went well except. Some minor issues:

• apache is now at v2
  • apache config is now in /etc/httpd
  • apache logs in /var/log/httpd
  • apache docroot now in /srv/httpd

So there are a whole crop of things that need work

• My CA cert is expired! Brilliant, I know. Apparently I only issue the CA cert for 1 week

• Gallery needs an update, but more importantly there are thousands of spam comment. Mostly rude. Apparently there is a captcha weakness. I've killed many, but the cleanup will be tough.

I have to comment on this. I received an e-mail today from Classmates.com today telling me that someone had posted a message to my profile. So I went to the site and was told I would have to upgrade in order to read the message. So do they get to hold that message hostage until I pay? Even after the sender paid for the privilege of sending the message? Brings a whole to meaning to the concept of sending a message, huh? Give me a break.

I've been a non-paying member there for years, but got pretty disgusted a few years back when they went to a pay model and locked down all the information they'd harvested over the years. And that's what they'd done. They provided a useful service for several years in order to gather all the information they could and then put up walls to extort you into signing up for the service. It's lame.

Stay away. Stay far away.

\\Greg

Details:

Classmates.com wrote:
 ____________________________________________________________

                    Who checked you out?
 ____________________________________________________________

 Hi Greg,

 1 person signed your profile!

 Think you know who it was? Find out who's thinking of 
 you now. 
 http://www.classmates.com/go/e/1916436/MVN111406_A_L1A1/4503385848/CM3600

So I clicked the link and found this:

I've had a bear of a time getting OpenLDAP to configure for SSL/TLS. I made a couple discoveries today that I want to note.
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)

I was receiving one main error:

no shared cipher

I couldn't figure out whether slapd was configured properly. So first I tested the certs using OpenSSL
--

I ran this in one shell to set up a listner:
openssl s_server 
    -CAfile /var/data/ca/cacert.pem
    -cert /var/data/ca/newcerts/ldap1cert.pem
    -key /etc/openldap/ldap1keyclear.txt -accept 99
    -cipher DHE-RSA-AES256-SHA

and this in another to connect to the listner:
openssl s_client 
    -host uslack2.gmartin.org 
    -port 99 
    -cipher DHE-RSA-AES256-SHA
    -ssl3 (or -tls1)

(note:These commands use your cert files to set up a server and client to exchange data over ssl or tls.)

For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
--
Next I ran slapd with -d 255 to enable debugging. What I found was I using an incorrect directive for the TLS options.

I was using:

TLS_CACertificateFile
TLS_CertificateFile
TLSCertificateKeyFile

not:

TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile

Looks as though I confused ldap.conf and slapd.conf directives. Why are they different one wonders?
---

However, I was still receiving "no shared cipher" error. I was using this as a test tool:

To test for SSL on port 636:
ldapsearch  -H ldaps://uslack2.gmartin.org 
    -vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org 
    -w password -x

To test for TLS on port 389:
ldapsearch  -H ldap://uslack2.gmartin.org 
    vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org 
    -w password -x -ZZ

I had the following in slapd.conf and ldap.conf:

TLSCipherSuite DHE-RSA-AES256-SHA

(which I cut and pasted from 'openssl ciphers')

I replaced it with the following to fix the issue:

TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

It's still not clear to me what the syntax should be - the OpenLDAP docs are poor here IMO. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. Perhaps I'm dense.

---
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf and ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?

And one more. In the man page for slapd, there is this explanation for the -h option:

slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default
LDAP port).  That is, it will bind using INADDR_ANY and port 389. The -h option 
may be used  to  specify  LDAP  (and  other scheme) URLs  to  serve.   For
example,  if  slapd  is  given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///",
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,

The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
-------
And for posterity, here are the TLS directives from my conf files:

slapd.conf
TLSCipherSuite  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCACertificateFile /var/data/ca/cacert.pem
TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never

ldap.conf
TLS_CACERT /var/data/ca/cacert.pem
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP

I was talking through OpenID with some friends recently and decided I could best explain it and understand it by writing a bit about it. OpenID is a recent development in the lightweight ID realm where the user maintains the identity and 3rd part web sites decide whether to consume or make use of that ID.

With the proliferation over the past several years of web sites requiring some sort of user profile and authentication (account), it's become more and more of a nightmare for the average person. Not only must we create and manage each of these accounts, but we have to try to remember what we've done and where we've been.

I recently logged in at ESPN to create and entry for the College Bowl Mania contest they run. I logged in early December, created and my entry. I went back several weeks later - cleaned it up and finalized. it. The other day I was told I had not joined the group I'd wanted to. I logged in again (after looking up my ID again) and found no entry. On a whim, I requested my login ID. After giving my email address, I received a message listing two IDs that I hadn't remembered. I logged in with one of them and found my missing entry. I had three accounts on one site!

Now, my memory may be failing me, but the larger point is that along with those three I'll be I have accounts a more than 50 sites around the web. I try to standardize on a single account name, but my name is rather common and I regularly have to try to invent other account names. This all ends up a big mess. Now I'm a rather savvy web user having been on the Internet since before the web, and a near 20 year IT vet so I can't imagine what it is like for the average person. !!! OpenID comes along

In the past year or so, the attention to the Identity problem on the Internet has grown significantly and several

To work cvs BRANCH-1-9 (Note: the :ext: not :pserver:)

- export CVS_RSH=ssh
- For BRANCH-1-9
-- cvs -z5 -d:ext:gregmartin@tikiwiki.cvs.sourceforge.net:/cvsroot/tikiwiki co -r BRANCH-1-9 tikiwiki

- For HEAD
-- cvs -z5 -d:ext:gregmartin@tikiwiki.cvs.sourceforge.net:/cvsroot/tikiwiki co -r tikiwiki

To Commit:
cvs -z5 -d:ext:gregmartin@tikiwiki.cvs.sourceforge.net:/cvsroot/tikiwiki commit <filename>

I needed to do some debugging of the LDAP authentication with Tikiwiki 1.9.7. I needed a way to see how variables were being set. I found this page on debugging (cache).

I created a file called lib/debug2.inc under /tiki and set the permissions for apache.

I added this line to tiki-index.php:

include ('lib/debug2.inc');

Once that's done, you use this line to print a variable:

debug2_(FILE, LINE, variablename, $variable);

The output is sent to /tiki/debug.out. I ran tail -f debug.out while I was working.

One thing to note., with this loaded, while everything else worked, I could not display tiki-index.php. I would get the error:

"File open failed - global.var.inc"

I use OpenLDAP to authenticate users for my Tikiwiki installation. Between version 1.9.4 and 1.9.6 LDAP auth broke. It looks like tiki upgrade the version of Pear::Auth they use. I found out the problem had to do with the LDAP connection not shoosing to switch to LDAP version 3 calls.

To fix this, there was a short term fix to add this at line 291 of the LDAP.php that comes with Pear::Auth (tikiwiki\lib\pear\Auth\Container\LDAP.php)

$this->options['version']=3;

This has the effect of adding version=3 to the options array that is passed to the LDAP connect method.

So that hack was ok for while, but the I got restless. I modified Tiki so that there is a version option on the Admin->login page. Set this to 3 and all is well.

Here's how:

In lib/userslib.php at line 632 add:

$options["version"] = $tikilib->get_preference("auth_ldap_version", 3);

In tiki-setup.php at line 1195 add:

$auth_ldap_version = "";
$smarty->assign('auth_ldap_version', $auth_ldap_version);

In tiki-admin-include-login.php at line 444 add:

if (isset($_REQUEST["auth_ldap_version"])) {
  $tikilib->set_preference("auth_ldap_version", $_REQUEST["auth_ldap_version"]);
  
  $smarty->assign('auth_ldap_version', $_REQUEST["auth_ldap_version"]);
    }

Lastly, in tiki-admin-include-login.tpl at line 201 copy the LDAP Admin Pwd line and change it to LDAp version and auth_ldap_version (I cannot copy that line here, the html screws up the page)

I found a new Podcast called the Story of Digital Identity SToDID. No sooner did I discover it, then the host, Aldo Castañeda, switched to m4a format. He did so due to potential licensing and file size issues with mp3. See his comments in the comments for Episode #38 (cache) where we diascussed the issue.

Well, I own a Creative Zen Nomad Xtra and use it regularly to listen to podcasts. It does not support the m4a format. I went looking for a way to access the content, found a couple tools and wound up writing this Windows script to convert the file from m4a to mp3. It uses some open source tools — faad, lame and tag to do the heavy lifting. One caution - it removes the original .m4a file when complete. Instructions to stop that are included.

As an after thought, I added the ability to rip the audio m4v files as well.

I use Juice to download my podcasts and it provides a feature to run a command after each download. It provides two parameters for use with the command.
%f = filename
%n - podcast name

I use this command in juice:

start "postDL" cmd /c c:\acc\m4tomp3.cmd "%f" "%n"

The script access %f as %1 and %n as %2

@echo off
::m4ToMP3
::Greg Martin  11/29/06
::Converts m4a and m4v files to mp3 for use on a mp3 player
::  (note: if you've not seen them before, a double colon is similar to a comment (REM)

::sleep to give juice time to complete file write
sleep 5

set podname=%2
set origFileName=%1

:: since a specific filename is passed as %1 the 'for' does nothing except parse
:: the extension & filename
:: fext is set to file extension (.m4a  or mp3)
:: fname is set to filename (less extension)
for %%a in (%1) do set fext=%%~xa& set fname=%%~na& set fpath=%%~dpa

::Convert if needed
if %fext%==.m4a call :convertit %1
if %fext%==.m4v call :convertit %1
call :settag
goto :eof

:convertit
@echo export to wav
::use faad to decode to wav
faad %1
sleep 1
@echo convert to mp3
::use lame to encode to mp3
lame -h -b 96 "%fpath%%fname%.wav" "%fpath%%fname%.mp3"
:: cleanup (remove %origFileName% from the net line to keep the original file after conversion)
del %origFileName% "%fpath%%fname%.wav"
 
goto :eof

:settag
tag --removeid3v2 --genre 90 --album %podname% --title "%fname%" "%fpath%%fname%.mp3"
goto :eof

Feel free to use this script. Please share any changes with me to help make it better.

\\Greg
gmartin@gmartin.org

I wanted to configure sshd so that I could login without a password. I found a brief article at thinkholelabs (cache). While it has some other problems, the tutorial for authorized keys worked well.

After making this all work, I disallowed password logins using:

PasswordAuthentication no

The next thing is to enable some type of port knocking process.
Found this site (cache), and this DenyHosts script (cache) seems promising, but no time now.

OK so we're cruising. I've configured the local samba settings so I can access my backup server. I copied over some scripts and am currently sync'ing data from my soon to be old server to the new.

While it copies I'll begin installing some of the basics.

* Installed 1.240 of webmin and upgraded internally to 1.30.

* Fixed the sound by installing the 2.6.17.13 modules and turning up the speaker volume :redface:

* Cleaned up lilo.conf so the smp kernel is the default and timeout is 10 seconds

* Started a sync of slackware-current and slackware-11 trees

This morning I started cleanup of the problems listed above. Since I selected the huge26.s kernel, I need to load the modules for the 2.6.17.x modules. They are on disk2 in /extra/linux-2.6.17.13 directory. I loaded the linux-kernels-2.6.17.13.tgz package using 'installpkg linux-kernels-2.6.17.13.tgz'

I also edited /etc/lilo.conf to comment out vgs=790 and uncomment vga=791. I restarted. 'Ifconfig' reported the network problems are resolved, but I still have the video mode problem. Then I remembreed I didn't re-run 'lilo' after the lilo,conf edit. I did so, restarted again and that was resolved.

Next things - I have no sound (predicted by Pat V.) and my machine is only recognizing one core. (less /proc/cpuinfo shows only processor :0 info ) That's because this kernel is not SMP.
The sound will be solved by using a 2.4.x modules. I'm not sure how that works yet.
At this point, I'm going to switch to the 2.6.17.13-smp kernel

• The kernel package is in /disk2/extra
• copied the kernel, config and system.map file to /boot
• created a link to system.map and config in the /boot directory
• edit lilo.conf and added the new image
• ran lilo to re-read the config

On reboot, I selected the smp kernel, but there were a bunch of errors about missing modules and the keyboard didn't work. So i restarted the hard way

I found the kernel modules in /disk2/extra/ and loded the kernel-module package. After reboot, I have two cores, and 2GB RAM

All goodness!

I'm planning a Slackware 11 install and upgrade. I have new hardware (Dell GX620 Dual core, 2GB RAM, 250Gb SATA drive and the Intel 945 chipset.

My current system is an old Dell GX110, 1Ghz, 360MB RAM. I've installed quite a few packages over time. Here's my list

package	version
TikiWiki	1.9.4
Gallery	2.x
WebCalendar	CVS
phpGEDView	3.3.8
PhpMyAdmin	2.6.1
phpLDAPAdmin	0.9.5
OpenLDAP	2.3.20
OpenSSL
Nagios	2.1
Webmin

I've downloaded the ISOs (hurray for bittorrent), burned them, printed and read the Readme, changes & hints and other pertinent docs from disk 1.

My next step is to boot from CD and partition the drive. I'm trying to find the best way to do that (yeah there are only guideline). I like using / & swap so that I can take advantage of one big disk, but I think there is benefit to segregating data from system.. Problem is I tend to store data in /var and custom programs in /usr/local so if I switch both out to their own partitions, I'm asking for future trouble. I think I'll go with the single partition for now.

Next decision was what FS to use. I read an article recently where SUSE dumped Reiserfs as the default format for disks. In reading their reasoning (basically, lack of developer interest), I've decided to use ext3 instead.)

Everything installed. I selected the huge26.s kernel and rebooted. I did receive an error on boot that an unsupported video mode was selected. I'll need to do some work in lilo.conf

I ran xorgsetup and started kde. After firing up Firefox it appears there is no network. Sure enough ifconfig shows only 'lo'

I need to copy some files from my backup PC. I've reconfigured smb.conf and started it, but at the moment it will not find the PC. Guess I'll come back in the morning.

\\Greg

To prove mysql was working I installed webcalendar.

I copied the files over from uslacker and used <span style="font-style: italic;">phpmyadmin</span> to export the database.

I created a database (yes latin1_swedish is the correct collation) and imported the file that came from the export.

I had to change <span style="font-style: italic;">setting.php</span> to use <span style="font-style: italic;">user.php</span> and not <span style="font-style: italic;">user-ldap.php</span> since ldap is not currently running.

I managed to rememeber my non-ldap userid (Greg) and the password (sorry!)

All is well

Slackware-current uses Mysql5. I installed it and have had problems with the permissions. I re-ran muysql_install_db and reset the root password and all seems well.

Installed phpmyadmin 2.8.2.4 and then upgraded to 2.9.0 released today.

started the upgrade of this site onto new hardware. The new box has an Intel Core Duo w/2GB RAM. I built it with Slack 10.2 and upgraded to current. I'm awaiting 11.0 final before I complete the install. pat has just release RC5 so we're real close.

I'm rebuilding on a Dell GX620, Pentium D Core Duo, 2GB RAM, 250GB SATA. Nice machine. I had some problems getting started.

• Video recognition

When I went through xorgconfig, the xorg.conf that was created would not start. Final error was No screen found. I tried lots of things. Seems like there is a problem with the Intel 945 chipset. Whenever I specified the i810 driver, no glory.
I was using the default vesa driver, but it only recognized up to 1024x768 and my LCD needs 1280x1024.

I posted to LinuxQuestions and was asked to try xorgsetup instead. The conf file worked and all is swell. Here's the thread from LQ (cache)

• Missing RAM

The machine has 2GB RAM but only 900+MB are recognized by the OS. Posted that to LQ as well. Apparently I need to recompile with Himem support. Thread here (cache)

My plan is to upgrade to -current. After that, I'll try both of these issues again.

Modifying Tiki
Last month I signed up for a claimID account. ClaimID uses the concept of a microID to help you identify your web sites. microID site Claim ID site. I then went through the process of adding a claimID to each of the applications I use at www.gmartin.org (tikiwiki, WebCalendar, Gallery v2) so that my microID was part of the generated page. (this is somewhat invalid as I used the generic http://www.gmartin.org to generate the microID).

For the most part this was a trivial exercise. I found the header or footer template and made some changes. See my other blog post for the particulars.

What I want to do now is a couple things.

1. The first is to adjust tikiwiki so that I can add new meta tage without regenerating the smarty template file
2. Next, I'd like to add some code that actually generates the microID based on the page URL.

Made some changes to tikiwiki and had to upgrade to v1.9.4. I had some problems

1. The ldap login wasn't working. That turned out to be a global problem unrelated (ldap was down)
2. The tikipedia theme was busted. I copied over the tikipedia directory in the ./styles directory, but forgot the tikipedia.css in the ./styles directory
3. the bloglist plugin wasn't working. Had to copt it from /lib/wiki-plugins-dist to /lib/wiki-plugins
4. my microid meta tag changes weren't there.

I grabbed a userid at www.claimid.com and wanted to add the microid meta tag to the pages of several apps I run - namely TikiWiki & Gallery. I figured this all out in under an hour, so your app may be different, but give it a try. One thing. This breaks a simple rule of microID - that the url is encrypted with the email addess. I used the site base URL (linux2.gmartin.org:82) for all pages. Since most of these apps only support static meta tags - that's where I wound up.

Here's how I did it:
The microid is a hash that is assigned to the url & email address combination for a particular page. The email address is the address on file at microid. The mID gets added to a meta tag in the page header. The following is the microID for

http://linux2.gmartin.org:82/gallery/albums.php
< meta name="microid" content="ccb852bd6c3bfce1414c1c950bada71584ade9ba" / >

For Gallery v2,

I had to find the theme.tpl file corresponding to the theme I use (matrix) on the home page. I found it under ../gallery/themes/matrix/templates.

The instructions in the file say that in order to save edits across upgrades, not to edit the original files. I created a local directory (../gallery/themes/matrix/templates/local) and copied theme.tpl there. I edited the file with a text editor and modified the html to add the correct meta tag right before the line containing </head>
-------

For TikiWIki 1.10

This was much more involved, but simpler than v1.9.x. Tiki supports the use of meta tags. Problem is that they have a pre-defined set of tags and microID was not on of them. Take a look at http://.../tiki/tiki-admin.php?page=metatags

Edit /tiki/tiki-admin_includes_metatag.php and add these lines in the (isset($_REQUEST%22metatags%22)) section:

simple_set_value('metatag_microid');

I added them after the author tag so they were clustered on the top of the page separate from the geo tags.

Next is to edit the header.tpl file in ./tiki/templates. In that file I added:

{if $metatag_author ne ''} &lt meta name="microID" content="{$metatag_microid}" /&gt
{/if}
Again, I copied the 'author' item and edited it.

Last is to edit ./tiki/templates directory to modify tiki-admin-include-metatags.tpl file. I copied the author line and changed the references to microid to match the other changes.

&lt tr &gt &lt td class="form" &gt {tr}Meta microID{/tr}: &lt /td &gt &lt td &gt &lt input type="text" name="metatag_microid" 
value="{$metatag_microid}" size="50" / &gt &lt /td &gt &lt /tr &gt

~/np~
Once this is done, you should be able to edit the microid tag on the admin/meta tags page. Once you save that and refresh, the tags should be on all pages in the site (not particularly accurate based on the microID concept, but it works for me!

-------

For TikiWIki 1.92

This was much more involved. Tiki supports the use of meta tags. Problem is that they have a pre-defined set of tags and microID was not on of them. Take a look at http://.../tiki/tiki-admin.php?page=metatags

Edit /tiki/tiki-admin_includes_metatag.php and add these lines in the if (isset($_REQUEST) section:

$tikilib->set_preference('metatag_microid',$_REQUEST["metatag_microid"]);
$smarty->assign("metatag_microid",$_REQUEST["metatag_microid"]);

and this line in the else section:

$smarty->assign("metatag_microid",$tikilib->get_preference("metatag_microid",''));

I added them after the author tag so they were clustered on the top of the page separate from the geo tags.

Next is to edit the header.tpl file in ./tiki/templates. In that file I added:

[if $metatag_microid ne ''] &lt meta name="microid" content="{$metatag_microid}" / &gt
[/if]

Last is to edit ./tiki/templates directory to modify tiki-admin-include-metatags.tpl file. I copied the author line and changed the references to microid to match the other changes.

Once this is done, you should be able to edit the microid tag on the admin/meta tags page. Once you save that and refresh, the tags should be on all pages in the site (not particularly accurate based on the microID concept, but it works for me!

I have a problem (again) with getting OpenLDAP to load when I try to specify certificates. I found this page that helps

http://juxtaposition.axley.net/archives/2003/08/openldapopenssl.html#more

For Christmas I got this great IOGear MiniView Micro USB Plus 2-port KVM. Tonight I hooked it up to my Slackware server and had some problems with it recognizing the mouse now that it was connected via USB. My PC is an old Dell GX110 ~ 3 yrs old. It will work with a USB keyboard & mouse. I made sure USB EMulation was enabled in BIOS, but I am not sure it was necessary.

Within Slackware, I had to make the following changes

From	To
File: /etc/rc.d/rc.gpm
/usr/sbin/gpm -m /dev/mouse -t ps2	/usr/sbin/gpm -m /dev/input/mice -t ps2
File: /etc/rc.d/rc.modules
# /sbin/modprobe hid	/sbin/modprobe hid
# /sbin/modprobe usbmouse	/sbin/modprobe usbmouse
# /sbin/modprobe usbkbd	/sbin/modprobe usbkbd
File: /etc/X11/xorg.conf
Option "Protocol" "auto"	Option "Protocol" "IMPS/2"
Option "Device" "/dev/mouse"	Option "Device" "/dev/input/mice"

Upon further review, I flipped the setting $set_ldap_version to true in user-ldap.php

Here are the rest of my settings

$ldap_server = 'localhost';          

// Port LDAP listens on (default 389)        
$ldap_port = '389';                   

// Use TLS for the connection (not the same as ldaps://)
$ldap_start_tls = false;

// If you need to set LDAP_OPT_PROTOCOL_VERSION
$set_ldap_version = true;
$ldap_version = '3'; // (usually 3)

// base DN to search for users      
$ldap_base_dn = 'ou=people,dc=gmartin,dc=org';

// The ldap attribute used to find a user (login). 
// E.g., if you use cn,  your login might be "Jane Smith"
//       if you use uid, your login might be "jsmith"
$ldap_login_attr = 'uid';

// Account used to bind to the server and search for information. 
// This user must have the correct rights to perform search.
// If left empty the search will be made in anonymous.
//
// *** We do NOT recommend storing the root LDAP account info here ***
$ldap_admin_dn = 'cn=search,ou=people,dc=gmartin,dc=org';  // user DN
$ldap_admin_pwd = 'Search'; // user password


//------ Admin Group Settings ------//
//
// A group name (complete DN) to find users with admin rights
$ldap_admin_group_name = 'cn=webcalAdmin,ou=groups,dc=gmartin,dc=org';

// What type of group do we want (posixgroup, groupofnames, groupofuniquenames)
$ldap_admin_group_type = 'groupOfUniqueNames';

// The LDAP attribute used to store member of a group
$ldap_admin_group_attr = 'uniqueMember';


//------ LDAP Search Settings ------//
//
// LDAP filter to find a user list.
$ldap_user_filter = '(objectclass=person)';

// Attributes to fetch from LDAP and corresponding user variables in the
// application. Do change according to your LDAP Schema
$ldap_user_attr = array( 
  // LDAP attribute   //WebCalendar variable
  'uid',              //login
  'sn',               //lastname
  'givenname',        //firstname
  'cn',               //fullname
  'mail'              //email
);

---

Finally got this to work with LDAP. The problem was that Webcal wasn't making the transition to LDAP V3. I had to add:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
after if ( $ds ) { in function user_valid_login()
and in connect_and_bind()

For some reason, the variable $ldap_version doesn't work

\\Greg

OK, I got slapd set up with password-hash {SSHA}. The tells slapd that all password are stored as {SSHA} hashes. I was able to encrypt the root password as well as several user passwords using phpLDAPAdmin

I was then able to authenticate within Tiki as an user. Don't know how to make groups work though

I'm trying to do a simple thing - store non-cleartext passwords in OpenLDAP and use phpLDAPAdmin to set them. Long term I'll be using LDAP to authenticate for tikiwiki & webcalendar.

I'm trying to understand how passwords are stored then how to make use of them. It appears in slapd.conf, you can specify the default password hash mechanism or it defaults to SSHA. I'm trying to generate such a password and set it using LDAPPasswd. LDAPPasswd makes use of SASL.

So I've generated a certificate using OpenSSL and currently slapd is listening on port 636 & 389, however MyLDAPAdmin cannot connect using it. Not sure yet what that is about, but I suspect the cert isn't quite right