incomplete slapcat
by Robert Petkus
Folks,
We had a major meltdown of LDAP this morning. I understood why, but the
problem was restoring the database. slapcat, no matter how invoked,
would simply not dump the full contents of the database. I needed to do
a ldapsearch -L. This one doesn't make sense to me -- any ideas??
openldap-2.3.24
db4-4.2.52
Thanks!
--
Robert Petkus
Brookhaven National Laboratory
Physics Dept. - Bldg. 510A
http://www.bnl.gov/RHIC
http://www.acf.bnl.gov
16 years, 11 months
Fwd: dynlist overlay expandable attributes are not searchable
by Hai Zaar
Dear List!
I have dynlist overlay configured in the following way:
dynlist-attrset groupOfURLs memberURL uniqueMember
Also I have this dynamic group:
dn: cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com
cn: audio
description: All users eligible to use audio devices
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
gidNumber: 11
memberURL: ldap:///ou=People,dc=example,dc=com?uid?one?(&(objectClass=p
osixAccount)(gidnumber=1000))
When I run the following search:
ldapsearch -x '(gidnumber=11)'
Then I get:
dn: cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com
cn: audio
...
memberURL: ldap:///ou=People,dc=example,dc=com?uid?one?(&(objectClass=p
osixAccount)(gidnumber=1000))
uniqueMember: uid=foo,ou=people,dc=example,dc=com
uniqueMember: uid=bar,ou=people,dc=example,dc=com
I.e. everything works like exepected.
The problem is that this search returns nothing:
ldapsearch -x '(uniquemember=*)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uniquemember=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I would expect it to return dn:
cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com
How can I fix this?
--
Zaar
--
Zaar
16 years, 11 months
Building a Distributed LDAP tree with replication.
by sebastien Prouff
Hello list,
I have a conception problem with my LDAP and would like to have your
opinion.
I have to built a LDAP tree.
About 10000 LDAP entry.
These are the points :
- the directory service must be distributed on several sites
- the sites are geographicaly distant and a have internet satellite
connexion between the deported sites and the central site.
- In 12 month, I will have 25 sites to maintain.
- I want to delegate the directory support on each site.
- I want to get the whole LDAP tree on the main site.
Why?
/I want to delegate the directory support on each site./
- Because each site is a Samba Controleur for the XP PC. So information
must be first upgrade on the distant site and replicated on the main site.
- Because of delegation also. I can't be the administrator for each branch
/I want to get the whole LDAP tree on the main site.
/Because we want to offer a mail service for the whole tree. The mail
server will be in the main site.
The users will be created on the distributed site by the local
administrators and these informations replicated on the main site.
By this way the mail server will look on the main LDAP server to
authentificate users.
So, I had I deep look in the openldap documentation by It seems to be a
bit odd. Or, my situation is unusual, or I miss a point, or...please help!
Will it be possible to replicated the tree on a subtree?
let me explain.
for example, i have dc=example,dc=org for my main site.
and dc=a,dc=example,dc=org
and dc=b,dc=example,dc=org
for two of the 25 distant sites.
So, on the main site
o dc=org
|
o dc=example
/ \
/ \
dc=a o o dc=b
on one distant site...
o dc=org
|
o dc=example
|
o dc=a
/ | \
/ | \
ou ou ou
I want to replicate the sub tree on the main tree.
Should I use rslurpd?
Should I use syncrepl?
Must I use referral?
- If I use referral, will my mail server be able to search for a
user on a distant directory?
I know my questions are a bit strange but I am quite new on LDAP/open
LDAP and I need gourou's advice.
so...
Sebastien
16 years, 11 months
Re: upgrade to 2.3.19 from 2.1.22
by matthew sporleder
On 2/8/06, Quanah Gibson-Mount <quanah(a)stanford.edu> wrote:
> On Wednesday 08 February 2006 11:57, Quanah Gibson-Mount wrote:
> > On Wednesday 08 February 2006 10:50, matthew sporleder wrote:
> > > I finally managed to drum up some support for upgrading a few legacy
> > > servers from openldap 2.1.22 to 2.3.x. (yay)
> > >
> > > My plan is to follow the general slapcat/slapadd procedure and attempt
> > > to use one big HDB (or possibly three), review all of my ACL's (I
> > > think there were some syntax changes from 2.1 to 2.2, according to the
> > > faq)
> > >
> > > Basically, I'm looking for tips/gotchas that I'm obviously leaving out.
>
> Strip out the operational attributes like entryCSN after doing the slapcat,
> prior to doing the slapadd, as the format changed.
>
Is entryCSN used for anything other than syncrepl?
I'm rehatching this old thread to find out about the opposite
direction. 2.3 masters replicating to 2.1 replicas. I've done some
testing and didn't notice any problems, but I was using slurpd and a
pretty simple setup.
16 years, 12 months
Re: connection_read no connection
by Tim Kay
Dave Horsfall wrote:
> On Tue, 1 Aug 2006, Andreas Hasenack wrote:
>
>
>>>> 2006-08-01T22:34:46.206+02:00 mta1 slapd[28378]: connection_read(39): no
>>>> connection! 2006-08-01T22:35:03.340+02:00 mta1 slapd[28378]:
>>>> connection_read(38): no connection!
>>>>
>> [...]
>> I'm getting these a lot with 2.3.25 when I use the "luma" client. I didn't
>> investigate any further what exactly it is doing differently from ldapsearch
>> or gq.
>>
>
> I've found it generally means the client exited without the courtesy of an
> unbind.
>
>
It is strange. We get a lot of these and upping the logging verbosity
reveals:
Oct 3 12:42:37 custard slapd[18835]: conn=29 fd=43 ACCEPT from
PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=0 BIND dn="" method=128
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=0 RESULT tag=97 err=0 text=
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SRCH
base="ou=auto.home,dc=dcs,dc=qmul,dc=ac,dc=uk" scope=2 deref=0
filter="(&(objectClass=automount)(cn=2nd))"
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SRCH attr=cn
automountInformation
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct 3 12:42:37 custard slapd[18835]: conn=29 op=2 UNBIND
Oct 3 12:42:37 custard slapd[18835]: conn=29 fd=43 closed
Oct 3 12:42:37 custard slapd[18835]: connection_read(43): no connection!
I don't see anything wrong with the client connection, it binds
anonymously, executes a search, unbinds and then closes the connection
only for the server to log "no connection!". As we're seeing about 50 of
these warnings every second in our log files during busy periods it's a
real pain:
Oct 3 12:31:38 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 15 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 2 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 2 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 9 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 4 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard last message repeated 3 times
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection!
Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection!
Oct 3 12:31:41 custard last message repeated 13 times
All the errors are generated by autofs automount searches connecting
over a local socket, unfortunately setting a debug level high enough to
log individual function calls to get more info slows the server down to
an unacceptable level.
Tim
--
Tim Kay
Systems Programmer
Department of Computer Science
Queen Mary, University of London.
Tel: +44 (0) 207 882 7521
Fax: +44 (0) 208 980 6533
16 years, 12 months
HOWTO bind with uid only (short name)
by Brian Elliott Finley
I have a corporate white pages directory [using OpenLDAP] which requires
authentication. My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.
Here are some details that might help:
* Desired binding DN for a user: "username"
* Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
Here are some additional OpenLDAP specifics with regard to my current
authentication setup:
* Passwords are backended by kerberos
* Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
is not feasible.
* userPassword is set to "{GSSAPI}username(a)EXAMPLE.COM"
* A /usr/lib/sasl2/slapd.conf file is in place, directing GSSAPI ->
SASL auth requests to saslauthd
* saslauthd is configured to use PAM
* /etc/pam.d/ldap (the service that slapd considers itself)
contains:
auth required pam_krb5.so ignore_root
account required pam_krb5.so ignore_root
password optional pam_krb5.so ignore_root
session optional pam_krb5.so ignore_root
* /etc/krb5.conf contains the right bits.
Using this config, users are currently able to bind and authenticate
using their kerberos passwords (not tickets).
I've looked into using sasl-regexp, but as that seems to change the sasl
identity, not the bind DN, it does not do what we want. It also appears
unnecessary in our case, as the only way I've found to do authentication
with passwords against either PAM or kerberos directly, is via
saslauthd, which seems to only be invokable when doing auth via
userPassword set to {GSSAPI}$principal.
So, in summary, I would be very interested in the solutions to
following:
a) how can I have a user specify a bind dn of "username" or even
"uid=username".
b) how can I tell OpenLDAP to authenticate with passwords directly
against PAM
c) how can I tell OpenLDAP to allow *anyone* who can authenticate
against kerberos with a password (perhaps via PAM), without
even having a per user DN, to bind.
Thanks,
-Brian
--
Brian Elliott Finley
Mobile: 630.631.6621
16 years, 12 months
ppolicy.c module doesn't respect Draft policy
by LABICHE Alexandre
Hello,
draft-behera-ldap-password-policy-xx.txt says:
5.3.2 pwdChangedTime
This attribute specifies the last time the entry's password was
changed. This is used by the password expiration policy. If this
attribute does not exist, the password will never expire.
And ppolicy.c overlay says contrary
/*
* Hmm. No password changed time on the
* entry. This is odd - it should have
* been provided when the attribute was
added.
*
* However, it's possible that it could be
* missing if the DIT was established via
* an import process.
*/
Debug( LDAP_DEBUG_ANY,
"ppolicy_bind: Entry %s does not
have valid pwdChangedTime attribute - assuming password expired\n",
e->e_name.bv_val, 0, 0);
pwExpired = 1;
Regards.
Alexandre LABICHE
16 years, 12 months
Re: TLS question
by Dennis.Hoffman@seagate.com
The client *is* configured - (ldap.conf):
....
TLS_CACERT /usr/local/etc/openldapcacert/cacert.pem
TLS_REQCERT never
...
The server is configured (slapd.conf):
...
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2
TLSCACertificateFIle /usr/local/etc/openldap/cacert/cacert.pem
TLSCertificateFIle /usr/local/etc/openldap/server.cert
TLSCertificateKeyFIle /usr/local/etc/openldap/server.key
TLSVerifyClient never
.....
Attached is the output of the server - indicating that the ca is still
"unknown " I've tried every combination of client/server configurations I
can think of, and still get the same thing - I'm not sure what I'm missing
here.
Thanks
Dennis
(See attached file: server.out)
Howard Chu
<hyc(a)symas.com>
Sent by: To
owner-openldap-so Dennis.Hoffman(a)seagate.com
ftware(a)OpenLDAP.o cc
rg openldap-software(a)OpenLDAP.org
No Phone Info Subject
Available Re: TLS question
09/29/2006 08:24
PM
Dennis.Hoffman(a)seagate.com wrote:
> Hello:
>
> I am trying to get TLS working on openldap-2.3.20. when I initiate
a
> search, the debug info at the server indicates "unknown_ca". According
to
> RFC 2246, this means that the "CA certificate could not be located or
> couldn't be matched with a known, trusted CA". My question: Isn't the
> slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to
> trust? If so, why isn't it working?
See the Admin Guide http://www.openldap.org/doc/admin23/tls.html
You need to configure the client.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
16 years, 12 months
Re: DB buggy after Reboot
by Matthias Spork
Hello Howard,
Howard Chu schrieb:
> Matthias Spork wrote:
>> Howard Chu schrieb:
>
>>> It looks like some transactions got rolled back, probably because
>>> there wasn't a recent enough checkpoint and the logs for the latest
>>> transactions didn't get flushed to disk. Setting a more frequent
>>> checkpoint interval would probably help.
>>>
Now, with "checkpoint 128 5" in my slapd.conf, it seemed to work. I
reboot my Servers after one week, and the md5sum of the databases are equal.
But, at one Server sometimes I had to do a "rcldap restart" to get it
run (although "rcldap status" show running).
May I set checkpoint in slapd.conf or in DB_CONFIG? Actually it worked
in slapd.conf.
Kind regards
matze
16 years, 12 months
timeout problems
by Csillag Tamas
Hi,
I set up an ldap server three years ago in our university in order to
have a single password via samba and lib???-ldap.
Later on I requested an OID from IANA then created my own schema. It was
working quite well.
A few months ago another organization's data was migrated to ldap (it is
in testing now). In the meanwhile I switched to the latest openldap
release (2.3). The older setup used ldbm backend the newer one is bdb
based as ldbm is gone.
To get some kind of separation first I created two backends and with the
help of an OpenLDAP core developer I set up slapo-glue to be able to
search in both ldap suffix (needed for the mailserver which is the same
for the two organization, other services are separated now). It was
working, but I get weird timeouts on the mail server (it worked
perfectly in the previous setup) and on the file server too. Syncrepl
did not work at all so in order to get my replica back to work again
I put all in one backend. Now I use a round-robin dns to distribute the
load as before (slurpd replication).
I tuned the indices to avoid the timeouts and ran slapindex. I get no
more index_param failed messages so I suspect all the needed indices are
here. But the timeouts were still here.
My last hope was DB_CONFIG but it did not fix my problem.
here is my DB_CONFIG:
-----------------------------------
set_cachesize 0 134217728 2
#set_lg_regionmax 262144
#set_lg_bsize 2097152
#set_lg_dir /var/log/bdb
#
# Automatically remove log files that are no longer needed.
set_flags DB_LOG_AUTOREMOVE
#
# Setting set_tas_spins reduces resource contention from multiple
# clients on systems with multiple CPU's.
set_tas_spins 1
-----------------------------------
I was unable to set up set_lg_* values right so they are commented out.
I have 768Mb RAM. Debian Sarge. OpenLDAP 2.3 HEAD as 2006-09-25. libdb4.2.
I turned up loglevel and the message which annoyes me most is:
<= bdb_index_read: failed (-30990)
In db.h I found:
#define DB_NOTFOUND (-30990)/* Key/data pair not found (EOF). */
but I do not know what does it mean in this context.
Please tell me what to do.
Thanks in advance!
--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it."
-- Brian W. Kernighan
CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas
16 years, 12 months