OpenLDAP configured for TLS not listenting on port 636
by Rob Tanner
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
Thanks.
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
16 years, 7 months
damaged index on openldap replica
by David Pruem
Hi,
I'm running an openldap 2.2.23 replica on a debian 3.1 (sarge) system.
Once in a while the index gets damaged and I have to use slapreindex to
get authentication working again.
The master server is running on fedora core (I don't know the version).
Is there anything I can do about this problem?
Thanks
David Prüm
--
Hochschule der Medien
Studiengang Informationsdesign
Wolframstrasse 32
D-70191 Stuttgart
++49 (0)711 25706 114
16 years, 7 months
slurpd replication problems between slave and master
by Roman Yushin
Hello. I am going to setup slurpd replication between two servers.
When i am doing changes at master, it replies to slave.(all ok!)
But when i am doing changes to slave, it don't replies to master!
Here are my configs:
------------------------------------------
master_server
------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
database ldbm
cachesize 10000
dbcachesize 1000000
threads 128
dbnosync
dbsync 2 12 5
sizelimit 10000
suffix "o=campus,c=ru"
rootdn "cn=Manager,o=campus,c=ru"
rootpw passwoooord
directory /var/db/openldap-ldbm
replogfile /var/log/slurpd.replog
replica host=slave_server:389
binddn="cn=replicator,o=campus,c=ru"
bindmethod=simple
credentials=replicator_password
index objectClass eq
index uid pres,eq
index rid eq
index uidNumber eq
index gidNumber eq
index cn eq,subinitial
index memberUid eq
index gecos eq
index description eq
index default sub
access to attr=userPassword,lmPassword,ntPassword
by self write
by * auth
access to *
by * read
------------------------------------------
slave_server
------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
loglevel 256
database bdb
suffix "o=campus,c=ru"
rootdn "cn=Manager,o=campus,c=ru"
rootpw passwoooord
directory /var/db/openldap-data
index objectClass eq
updatedn "cn=replicator,o=campus,c=ru"
updateref ldap://master-server
access to *
by dn="cn=replicator,o=campus,c=ru" write
by * read
---------------------------
So, replication between master and slave works fine.
I need that slave changes replies to master.
Are my configs wrong? Both rootdn passwords are equal.
When i am going to change slave database, connecting to the slave by
"non-updatedn user"(for example rootdn)
no changes have been made at master and at the slave!
I am using perl-script at slave, cause standart tools doesn't work with
updaterefs
------------------
#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new('localhost') or die "$@";
$ldap->bind ( # bind to a directory with dn and password
dn => 'cn=Manager,o=campus,c=ru',
password => 'passwoooord'
);
$dn="uid=user,ou=People,o=campus,c=ru";
$ldap->modify( $dn, replace => { 'cn' => 'test of perl script' });
$ldap->unbind ;
-------------------
Changes have to be done at master server by updateref link, and then
they have to replicate by slurpd replication from master to slave, but
it doesnt'work
Hope for your help.
WBR, Roman Yushin
16 years, 7 months
Case-insensitive search on unicode characters fail in 2.3.x
by Konstantin Katuev
Hi,
We are trying to upgrade our succesfully running openldap 2.2.19 server
to newer version (2.3.28).
We use unicode (russian) strings for DNs & attribute values.
After upgrade all software we use to search information in LDAP directory
returns no results when case of letters does not match.
If case of letters matches, everything is OK.
On ASCII strings search works fine.
Older versions (2.2.x) work good.
Is it bug or feature?
Konstantin.
16 years, 7 months
RE: Problem with slapd-meta
by Dominique VOLPE
Damn !
back-ldap doesn't work with two targets.
I went back to the starting point!
D.
-----Message d'origine-----
De : Dominique VOLPE [mailto:dominique.volpe@libertysurf.fr]
Envoyé : dimanche 29 octobre 2006 20:08
À : 'Pierangelo Masarati'
Cc : 'openldap-software(a)openldap.org'
Objet : RE: Problem with slapd-meta
For my tests, at home, I just setup a single target.
Now, I have a doubt. Indeed, the "man" page does not say that multiple
targets are allowed.
D.
-----Message d'origine-----
De : Pierangelo Masarati [mailto:ando@sys-net.it] Envoyé : dimanche 29
octobre 2006 20:38 À : Dominique VOLPE Cc : openldap-software(a)openldap.org
Objet : Re: Problem with slapd-meta
Dominique VOLPE wrote:
> I finally made it !
>
> I simply used slapd-ldap instead of slapd-meta !
>
Just out of curiosity: how can you handle multiple targets with back-ldap?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
16 years, 7 months
RE: Problem with slapd-meta
by Dominique VOLPE
I finally made it !
I simply used slapd-ldap instead of slapd-meta !
Thank you nevertheless to Pierangelo
Dominique
-----Message d'origine-----
De : Dominique VOLPE [mailto:dominique.volpe@libertysurf.fr]
Envoyé : dimanche 29 octobre 2006 18:46
À : 'Pierangelo Masarati'
Cc : 'openldap-software(a)openldap.org'
Objet : RE: Problem with slapd-meta
I have five branches in my meta directory. I mentioned only one to simplify
the message.
The client begins every search (whatever the search criteria) with this
request :
Oct 29 19:34:22 localhost slapd[2181]: conn=14 op=1 SRCH
base="o=mydomain,c=fr" scope=0 deref=0 filter="(objectClass=*)"
Oct 29 19:34:22 localhost slapd[2181]: conn=14 op=1 SRCH attr=objectClass
In a meta drirectory, this cannot works. Accordind to the "man" : The only
operation that may resolve to multiple targets is a search with scope at
least "one", which results in spawning searches to the targets.
I am looking for a work-around. I have tested all possibilities for several
days, in vain.
Grazie
Dominique
-----Message d'origine-----
De : Pierangelo Masarati [mailto:ando@sys-net.it] Envoyé : dimanche 29
octobre 2006 17:13 À : Dominique VOLPE Cc : openldap-software(a)openldap.org
Objet : Re: Problem with slapd-meta
Dominique VOLPE wrote:
> Hi,
>
> I try to install a meta directory.
>
> My slapd.conf looks like that :
>
> database meta
> suffix "o=mydomain,c=fr"
> rootdn "cn=Manager,o=mydomain,c=fr"
> rootpw secret
> lastmod off
>
> uri "ldap://xxxxx/ou=persons,o=mydomain,c=fr"
> suffixmassage "ou=persons,o=mydomain,c=fr" "ou=org1,o=mydomain,c=fr"
>
>
>
> When I search an address whith my email client, I can see in the log :
>
> conn=5 op=1 SRCH base="o=mydomain,c=fr" scope=0 deref=0
> filter="(objectClass=*)"
> conn=5 op=1 SRCH attr=objectClass
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL request 1 done
> conn=5 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>
>
> It tries to list all objectclasses, but it uses the scope "base"
> (scope=0) instead of "sub" (scope=2).
> Thus, it produces an error.
>
>
> Has anybody already met this problem and did find a solution?
>
> I think I could do it with rewrite rules, but I didn't find how to
> substitute the scope.
>
The scope of a search is automatically handled by slapd-meta to deal with
matching the request with what the targets are supposed to handle, there's
no way you can explicitly modify the scope of asearch. However, your issue
occurs well before any rewriting takes place.
In your slapd.conf you configure the meta database so that it can handle
requests in the "o=mydomain,c=fr" naming context; then, you configure the
only target in a manner that it can only deal with requests in the
"ou=persons,o=mydomain,c=fr" branch of that naming context. As the client
searches for "o=mydomain,c=fr" with a scope of "base", it means that the
client really wants only that very entry, which your meta database can't
answer. Either you configure the target so that it can return that very
entry, or you configure your client to request what the database can
actually return.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
16 years, 7 months
Problem with slapd-meta
by Dominique VOLPE
Hi,
I try to install a meta directory.
My slapd.conf looks like that :
database meta
suffix "o=mydomain,c=fr"
rootdn "cn=Manager,o=mydomain,c=fr"
rootpw secret
lastmod off
uri "ldap://xxxxx/ou=persons,o=mydomain,c=fr"
suffixmassage "ou=persons,o=mydomain,c=fr" "ou=org1,o=mydomain,c=fr"
When I search an address whith my email client, I can see in the log :
conn=5 op=1 SRCH base="o=mydomain,c=fr" scope=0 deref=0
filter="(objectClass=*)"
conn=5 op=1 SRCH attr=objectClass
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
request 1 done
conn=5 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
It tries to list all objectclasses, but it uses the scope "base" (scope=0)
instead of "sub" (scope=2).
Thus, it produces an error.
Has anybody already met this problem and did find a solution?
I think I could do it with rewrite rules, but I didn't find how to
substitute the scope.
Thank you.
Dominique
16 years, 7 months
Re: ldap replication half functional
by Quanah Gibson-Mount
--On Sunday, October 29, 2006 2:39 AM -0300 Sergio Shevtsov
<sergioshev(a)yahoo.com.ar> wrote:
> Thaks for advise.
> I will try to implement the syncrepl machanism.
I advise using OpenLDAP 2.3.28, since the version of Syncrepl in OpenLDAP
2.2 was very buggy and completely rewritten for OpenLDAP 2.3.
And do you not understand what reply to the list means? It means don't
reply just to me.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 7 months
Re: ldap replication half functional
by Quanah Gibson-Mount
--On Sunday, October 29, 2006 2:09 AM -0300 Sergio Shevtsov
<sergioshev(a)yahoo.com.ar> wrote:
> Hello again.
> I'm using Debian Serge 3.1 (testing) with Ldap that come by default.
> You suggest the use of syncrepl intstead of slurpd is better.
> But i steel dont understand why slurpd fails. I just create another
> backend.
> Why syncrepl y better instead of slurpd?
> Thanks for your time.
Please keep replies to the list.
syncrepl is better because it understands doing replication from multiple
backends very easily, while with slurpd, you can do it, but it is more
difficult. slurpd is being deprecated and will eventually be removed from
OpenLDAP as syncrepl is a superior replication mechanism.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 7 months
ldap replication half functional
by Sergio Shevtsov
Hello. I'm trying to set up my ldap replication, but it seems semi-functional.
i have two backend definded in my slapd.conf. The replication is made without problems in the first backend, but this not happends for the second.
Before i have definded only one backend and the replication go fine. When i just set up my second backend with its replication then first is become unfunctional.
my master slapd.conf is
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
# here starts my second backend
#++++++++++++++++++++++++++++++++++++++++++++++++++#
database bdb
suffix "ou=bdt,dc=casa,dc=priv"
directory "/var/lib/ldap/bdt"
rootdn "cn=admin,ou=bdt,dc=casa,dc=priv"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx
index objectClass eq
index mail,sn,cn eq,sub,pres
lastmod on
replogfile /var/lib/ldap/bdt/replog
replica uri=ldap://p3.casa.priv:389
bindmethod=simple
binddn="cn=rep,ou=bdt,dc=casa,dc=priv"
credentials=secret2
access to attrs=userPassword
by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write
by * read
#++++++++++++++++++++++++++++++++++++++++++++++++++#
#here starts my firts backend
#root of my directory
database bdb
suffix "dc=casa,dc=priv"
directory "/var/lib/ldap"
index objectClass eq
lastmod on
access to attrs=userPassword
by dn="cn=admin,dc=casa,dc=priv" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=casa,dc=priv" write
by * read
replogfile /var/lib/ldap/replog
replica uri=ldap://p3.casa.priv:389
bindmethod=simple
binddn="cn=rep,dc=casa,dc=priv"
credentials=secret
my slave slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
# my second backend
#++++++++++++++++++++++++++++++++++++++++++++++++++#
database bdb
suffix "ou=bdt,dc=casa,dc=priv"
directory "/var/lib/ldap/bdt"
rootdn "cn=admin,ou=bdt,dc=casa,dc=priv"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx
index objectClass eq
index mail,sn,cn eq,sub,pres
lastmod on
updatedn "cn=rep,ou=bdt,dc=casa,dc=priv"
updateref ldap://amd.casa.priv:389
access to attrs=userPassword
by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write
by dn="cn=rep,ou=bdt,dc=casa,dc=priv" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,ou=bdt,dc=casa,dc=priv" write
by dn="cn=rep,ou=bdt,dc=casa,dc=priv" write
by * read
#++++++++++++++++++++++++++++++++++++++++++++++++++#
#my first backend
database bdb
suffix "dc=casa,dc=priv"
directory "/var/lib/ldap"
index objectClass eq
lastmod on
access to attrs=userPassword
by dn="cn=admin,dc=casa,dc=priv" write
by dn="cn=rep,dc=casa,dc=priv" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=casa,dc=priv" write
by dn="cn=rep,dc=casa,dc=priv" write
by * read
updatedn "cn=rep,dc=casa,dc=priv"
updateref ldap://amd.casa.priv:389
i also tried to define the suffix attribute in the replica stanzas of both dc=casa,dc=priv and ou=bdt,dc=casa,dc=priv backends but without lucky.
cn=rep,ou=bdt,dc=casa,dc=priv
and
cn=rep,dc=casa,dc=priv have write privileges, i test it. I don't understand why in my fist backend the replication was broken
any hepl helps me much.
regards.
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
16 years, 7 months
