openldap-software October 2006

openldap-software@openldap.org

91 participants
100 discussions

OpenLDAP configured for TLS not listenting on port 636
by Rob Tanner 31 Oct '06

31 Oct '06

I am just now venturing for the first time into using SSL with OpenLDAP. The principal problem (or at least the first symptom of the problem) is that the server is listening only on port 389 and not 636 (according to netstat) OpenLDAP was built with the '--with-tls' configuration parameter. While I intend get a regular certificate, for testing purposes I created my own certificate using CA.pl. I copied the output files to where I want to keep them and added the additional configuration info to slapd.conf: TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem When I start OpenLDAP, I'm prompted to enter the PEM pass phrase. A ps command confirms that the start-up script did the right thing: /usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:/// But ssl connections fail and a netstat command only shows the server listening on port 389. Is there something I'm missing at this point merely to get the server listening on port 636? Thanks. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR

5 6

damaged index on openldap replica
by David Pruem 30 Oct '06

30 Oct '06

Hi, I'm running an openldap 2.2.23 replica on a debian 3.1 (sarge) system. Once in a while the index gets damaged and I have to use slapreindex to get authentication working again. The master server is running on fedora core (I don't know the version). Is there anything I can do about this problem? Thanks David Prüm -- Hochschule der Medien Studiengang Informationsdesign Wolframstrasse 32 D-70191 Stuttgart ++49 (0)711 25706 114

4 6

slurpd replication problems between slave and master
by Roman Yushin 30 Oct '06

30 Oct '06

Hello. I am going to setup slurpd replication between two servers. When i am doing changes at master, it replies to slave.(all ok!) But when i am doing changes to slave, it don't replies to master! Here are my configs: ------------------------------------------ master_server ------------------------------------------ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 database ldbm cachesize 10000 dbcachesize 1000000 threads 128 dbnosync dbsync 2 12 5 sizelimit 10000 suffix "o=campus,c=ru" rootdn "cn=Manager,o=campus,c=ru" rootpw passwoooord directory /var/db/openldap-ldbm replogfile /var/log/slurpd.replog replica host=slave_server:389 binddn="cn=replicator,o=campus,c=ru" bindmethod=simple credentials=replicator_password index objectClass eq index uid pres,eq index rid eq index uidNumber eq index gidNumber eq index cn eq,subinitial index memberUid eq index gecos eq index description eq index default sub access to attr=userPassword,lmPassword,ntPassword by self write by * auth access to * by * read ------------------------------------------ slave_server ------------------------------------------ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb loglevel 256 database bdb suffix "o=campus,c=ru" rootdn "cn=Manager,o=campus,c=ru" rootpw passwoooord directory /var/db/openldap-data index objectClass eq updatedn "cn=replicator,o=campus,c=ru" updateref ldap://master-server access to * by dn="cn=replicator,o=campus,c=ru" write by * read --------------------------- So, replication between master and slave works fine. I need that slave changes replies to master. Are my configs wrong? Both rootdn passwords are equal. When i am going to change slave database, connecting to the slave by "non-updatedn user"(for example rootdn) no changes have been made at master and at the slave! I am using perl-script at slave, cause standart tools doesn't work with updaterefs ------------------ #!/usr/bin/perl use Net::LDAP; $ldap = Net::LDAP->new('localhost') or die "$@"; $ldap->bind ( # bind to a directory with dn and password dn => 'cn=Manager,o=campus,c=ru', password => 'passwoooord' ); $dn="uid=user,ou=People,o=campus,c=ru"; $ldap->modify( $dn, replace => { 'cn' => 'test of perl script' }); $ldap->unbind ; ------------------- Changes have to be done at master server by updateref link, and then they have to replicate by slurpd replication from master to slave, but it doesnt'work Hope for your help. WBR, Roman Yushin

4 4

Case-insensitive search on unicode characters fail in 2.3.x
by Konstantin Katuev 29 Oct '06

29 Oct '06

Hi, We are trying to upgrade our succesfully running openldap 2.2.19 server to newer version (2.3.28). We use unicode (russian) strings for DNs & attribute values. After upgrade all software we use to search information in LDAP directory returns no results when case of letters does not match. If case of letters matches, everything is OK. On ASCII strings search works fine. Older versions (2.2.x) work good. Is it bug or feature? Konstantin.

2 2

RE: Problem with slapd-meta
by Dominique VOLPE 29 Oct '06

29 Oct '06

Damn ! back-ldap doesn't work with two targets. I went back to the starting point! D. -----Message d'origine----- De : Dominique VOLPE [mailto:dominique.volpe@libertysurf.fr] Envoyé : dimanche 29 octobre 2006 20:08 À : 'Pierangelo Masarati' Cc : 'openldap-software(a)openldap.org' Objet : RE: Problem with slapd-meta For my tests, at home, I just setup a single target. Now, I have a doubt. Indeed, the "man" page does not say that multiple targets are allowed. D. -----Message d'origine----- De : Pierangelo Masarati [mailto:ando@sys-net.it] Envoyé : dimanche 29 octobre 2006 20:38 À : Dominique VOLPE Cc : openldap-software(a)openldap.org Objet : Re: Problem with slapd-meta Dominique VOLPE wrote: > I finally made it ! > > I simply used slapd-ldap instead of slapd-meta ! > Just out of curiosity: how can you handle multiple targets with back-ldap? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

RE: Problem with slapd-meta
by Dominique VOLPE 29 Oct '06

29 Oct '06

I finally made it ! I simply used slapd-ldap instead of slapd-meta ! Thank you nevertheless to Pierangelo Dominique -----Message d'origine----- De : Dominique VOLPE [mailto:dominique.volpe@libertysurf.fr] Envoyé : dimanche 29 octobre 2006 18:46 À : 'Pierangelo Masarati' Cc : 'openldap-software(a)openldap.org' Objet : RE: Problem with slapd-meta I have five branches in my meta directory. I mentioned only one to simplify the message. The client begins every search (whatever the search criteria) with this request : Oct 29 19:34:22 localhost slapd[2181]: conn=14 op=1 SRCH base="o=mydomain,c=fr" scope=0 deref=0 filter="(objectClass=*)" Oct 29 19:34:22 localhost slapd[2181]: conn=14 op=1 SRCH attr=objectClass In a meta drirectory, this cannot works. Accordind to the "man" : The only operation that may resolve to multiple targets is a search with scope at least "one", which results in spawning searches to the targets. I am looking for a work-around. I have tested all possibilities for several days, in vain. Grazie Dominique -----Message d'origine----- De : Pierangelo Masarati [mailto:ando@sys-net.it] Envoyé : dimanche 29 octobre 2006 17:13 À : Dominique VOLPE Cc : openldap-software(a)openldap.org Objet : Re: Problem with slapd-meta Dominique VOLPE wrote: > Hi, > > I try to install a meta directory. > > My slapd.conf looks like that : > > database meta > suffix "o=mydomain,c=fr" > rootdn "cn=Manager,o=mydomain,c=fr" > rootpw secret > lastmod off > > uri "ldap://xxxxx/ou=persons,o=mydomain,c=fr" > suffixmassage "ou=persons,o=mydomain,c=fr" "ou=org1,o=mydomain,c=fr" > > > > When I search an address whith my email client, I can see in the log : > > conn=5 op=1 SRCH base="o=mydomain,c=fr" scope=0 deref=0 > filter="(objectClass=*)" > conn=5 op=1 SRCH attr=objectClass > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL request 1 done > conn=5 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= > > > It tries to list all objectclasses, but it uses the scope "base" > (scope=0) instead of "sub" (scope=2). > Thus, it produces an error. > > > Has anybody already met this problem and did find a solution? > > I think I could do it with rewrite rules, but I didn't find how to > substitute the scope. > The scope of a search is automatically handled by slapd-meta to deal with matching the request with what the targets are supposed to handle, there's no way you can explicitly modify the scope of asearch. However, your issue occurs well before any rewriting takes place. In your slapd.conf you configure the meta database so that it can handle requests in the "o=mydomain,c=fr" naming context; then, you configure the only target in a manner that it can only deal with requests in the "ou=persons,o=mydomain,c=fr" branch of that naming context. As the client searches for "o=mydomain,c=fr" with a scope of "base", it means that the client really wants only that very entry, which your meta database can't answer. Either you configure the target so that it can return that very entry, or you configure your client to request what the database can actually return. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

2 2

Problem with slapd-meta
by Dominique VOLPE 29 Oct '06

29 Oct '06

Hi, I try to install a meta directory. My slapd.conf looks like that : database meta suffix "o=mydomain,c=fr" rootdn "cn=Manager,o=mydomain,c=fr" rootpw secret lastmod off uri "ldap://xxxxx/ou=persons,o=mydomain,c=fr" suffixmassage "ou=persons,o=mydomain,c=fr" "ou=org1,o=mydomain,c=fr" When I search an address whith my email client, I can see in the log : conn=5 op=1 SRCH base="o=mydomain,c=fr" scope=0 deref=0 filter="(objectClass=*)" conn=5 op=1 SRCH attr=objectClass daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL request 1 done conn=5 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= It tries to list all objectclasses, but it uses the scope "base" (scope=0) instead of "sub" (scope=2). Thus, it produces an error. Has anybody already met this problem and did find a solution? I think I could do it with rewrite rules, but I didn't find how to substitute the scope. Thank you. Dominique

2 3

Re: ldap replication half functional
by Quanah Gibson-Mount 28 Oct '06

28 Oct '06

--On Sunday, October 29, 2006 2:39 AM -0300 Sergio Shevtsov <sergioshev(a)yahoo.com.ar> wrote: > Thaks for advise. > I will try to implement the syncrepl machanism. I advise using OpenLDAP 2.3.28, since the version of Syncrepl in OpenLDAP 2.2 was very buggy and completely rewritten for OpenLDAP 2.3. And do you not understand what reply to the list means? It means don't reply just to me. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: ldap replication half functional
by Quanah Gibson-Mount 28 Oct '06

28 Oct '06

--On Sunday, October 29, 2006 2:09 AM -0300 Sergio Shevtsov <sergioshev(a)yahoo.com.ar> wrote: > Hello again. > I'm using Debian Serge 3.1 (testing) with Ldap that come by default. > You suggest the use of syncrepl intstead of slurpd is better. > But i steel dont understand why slurpd fails. I just create another > backend. > Why syncrepl y better instead of slurpd? > Thanks for your time. Please keep replies to the list. syncrepl is better because it understands doing replication from multiple backends very easily, while with slurpd, you can do it, but it is more difficult. slurpd is being deprecated and will eventually be removed from OpenLDAP as syncrepl is a superior replication mechanism. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

ldap replication half functional
by Sergio Shevtsov 28 Oct '06

28 Oct '06

Hello. I'm trying to set up my ldap replication, but it seems semi-functional. i have two backend definded in my slapd.conf. The replication is made without problems in the first backend, but this not happends for the second. Before i have definded only one backend and the replication go fine. When i just set up my second backend with its replication then first is become unfunctional. my master slapd.conf is include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb backend bdb checkpoint 512 30 # here starts my second backend #++++++++++++++++++++++++++++++++++++++++++++++++++# database bdb suffix "ou=bdt,dc=casa,dc=priv" directory "/var/lib/ldap/bdt" rootdn "cn=admin,ou=bdt,dc=casa,dc=priv" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx index objectClass eq index mail,sn,cn eq,sub,pres lastmod on replogfile /var/lib/ldap/bdt/replog replica uri=ldap://p3.casa.priv:389 bindmethod=simple binddn="cn=rep,ou=bdt,dc=casa,dc=priv" credentials=secret2 access to attrs=userPassword by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write by * read #++++++++++++++++++++++++++++++++++++++++++++++++++# #here starts my firts backend #root of my directory database bdb suffix "dc=casa,dc=priv" directory "/var/lib/ldap" index objectClass eq lastmod on access to attrs=userPassword by dn="cn=admin,dc=casa,dc=priv" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=casa,dc=priv" write by * read replogfile /var/lib/ldap/replog replica uri=ldap://p3.casa.priv:389 bindmethod=simple binddn="cn=rep,dc=casa,dc=priv" credentials=secret my slave slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb backend bdb checkpoint 512 30 # my second backend #++++++++++++++++++++++++++++++++++++++++++++++++++# database bdb suffix "ou=bdt,dc=casa,dc=priv" directory "/var/lib/ldap/bdt" rootdn "cn=admin,ou=bdt,dc=casa,dc=priv" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx index objectClass eq index mail,sn,cn eq,sub,pres lastmod on updatedn "cn=rep,ou=bdt,dc=casa,dc=priv" updateref ldap://amd.casa.priv:389 access to attrs=userPassword by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write by dn="cn=rep,ou=bdt,dc=casa,dc=priv" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write by dn="cn=rep,ou=bdt,dc=casa,dc=priv" write by * read #++++++++++++++++++++++++++++++++++++++++++++++++++# #my first backend database bdb suffix "dc=casa,dc=priv" directory "/var/lib/ldap" index objectClass eq lastmod on access to attrs=userPassword by dn="cn=admin,dc=casa,dc=priv" write by dn="cn=rep,dc=casa,dc=priv" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=casa,dc=priv" write by dn="cn=rep,dc=casa,dc=priv" write by * read updatedn "cn=rep,dc=casa,dc=priv" updateref ldap://amd.casa.priv:389 i also tried to define the suffix attribute in the replica stanzas of both dc=casa,dc=priv and ou=bdt,dc=casa,dc=priv backends but without lucky. cn=rep,ou=bdt,dc=casa,dc=priv and cn=rep,dc=casa,dc=priv have write privileges, i test it. I don't understand why in my fist backend the replication was broken any hepl helps me much. regards. __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2006