openldap-software October 2006

openldap-software@openldap.org

91 participants
100 discussions

incomplete slapcat
by Robert Petkus 04 Oct '06

04 Oct '06

Folks, We had a major meltdown of LDAP this morning. I understood why, but the problem was restoring the database. slapcat, no matter how invoked, would simply not dump the full contents of the database. I needed to do a ldapsearch -L. This one doesn't make sense to me -- any ideas?? openldap-2.3.24 db4-4.2.52 Thanks! -- Robert Petkus Brookhaven National Laboratory Physics Dept. - Bldg. 510A http://www.bnl.gov/RHIC http://www.acf.bnl.gov

7 19

Fwd: dynlist overlay expandable attributes are not searchable
by Hai Zaar 04 Oct '06

04 Oct '06

Dear List! I have dynlist overlay configured in the following way: dynlist-attrset groupOfURLs memberURL uniqueMember Also I have this dynamic group: dn: cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com cn: audio description: All users eligible to use audio devices objectClass: groupOfURLs objectClass: top objectClass: posixGroup gidNumber: 11 memberURL: ldap:///ou=People,dc=example,dc=com?uid?one?(&(objectClass=p osixAccount)(gidnumber=1000)) When I run the following search: ldapsearch -x '(gidnumber=11)' Then I get: dn: cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com cn: audio ... memberURL: ldap:///ou=People,dc=example,dc=com?uid?one?(&(objectClass=p osixAccount)(gidnumber=1000)) uniqueMember: uid=foo,ou=people,dc=example,dc=com uniqueMember: uid=bar,ou=people,dc=example,dc=com I.e. everything works like exepected. The problem is that this search returns nothing: ldapsearch -x '(uniquemember=*)' # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (uniquemember=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 I would expect it to return dn: cn=audio,ou=PosixGroups,ou=Groups,dc=example,dc=com How can I fix this? -- Zaar -- Zaar

2 2

Building a Distributed LDAP tree with replication.
by sebastien Prouff 04 Oct '06

04 Oct '06

Hello list, I have a conception problem with my LDAP and would like to have your opinion. I have to built a LDAP tree. About 10000 LDAP entry. These are the points : - the directory service must be distributed on several sites - the sites are geographicaly distant and a have internet satellite connexion between the deported sites and the central site. - In 12 month, I will have 25 sites to maintain. - I want to delegate the directory support on each site. - I want to get the whole LDAP tree on the main site. Why? /I want to delegate the directory support on each site./ - Because each site is a Samba Controleur for the XP PC. So information must be first upgrade on the distant site and replicated on the main site. - Because of delegation also. I can't be the administrator for each branch /I want to get the whole LDAP tree on the main site. /Because we want to offer a mail service for the whole tree. The mail server will be in the main site. The users will be created on the distributed site by the local administrators and these informations replicated on the main site. By this way the mail server will look on the main LDAP server to authentificate users. So, I had I deep look in the openldap documentation by It seems to be a bit odd. Or, my situation is unusual, or I miss a point, or...please help! Will it be possible to replicated the tree on a subtree? let me explain. for example, i have dc=example,dc=org for my main site. and dc=a,dc=example,dc=org and dc=b,dc=example,dc=org for two of the 25 distant sites. So, on the main site o dc=org | o dc=example / \ / \ dc=a o o dc=b on one distant site... o dc=org | o dc=example | o dc=a / | \ / | \ ou ou ou I want to replicate the sub tree on the main tree. Should I use rslurpd? Should I use syncrepl? Must I use referral? - If I use referral, will my mail server be able to search for a user on a distant directory? I know my questions are a bit strange but I am quite new on LDAP/open LDAP and I need gourou's advice. so... Sebastien

3 2

Re: upgrade to 2.3.19 from 2.1.22
by matthew sporleder 03 Oct '06

03 Oct '06

On 2/8/06, Quanah Gibson-Mount <quanah(a)stanford.edu> wrote: > On Wednesday 08 February 2006 11:57, Quanah Gibson-Mount wrote: > > On Wednesday 08 February 2006 10:50, matthew sporleder wrote: > > > I finally managed to drum up some support for upgrading a few legacy > > > servers from openldap 2.1.22 to 2.3.x. (yay) > > > > > > My plan is to follow the general slapcat/slapadd procedure and attempt > > > to use one big HDB (or possibly three), review all of my ACL's (I > > > think there were some syntax changes from 2.1 to 2.2, according to the > > > faq) > > > > > > Basically, I'm looking for tips/gotchas that I'm obviously leaving out. > > Strip out the operational attributes like entryCSN after doing the slapcat, > prior to doing the slapadd, as the format changed. > Is entryCSN used for anything other than syncrepl? I'm rehatching this old thread to find out about the opposite direction. 2.3 masters replicating to 2.1 replicas. I've done some testing and didn't notice any problems, but I was using slurpd and a pretty simple setup.

3 2

Re: connection_read no connection
by Tim Kay 03 Oct '06

03 Oct '06

Dave Horsfall wrote: > On Tue, 1 Aug 2006, Andreas Hasenack wrote: > > >>>> 2006-08-01T22:34:46.206+02:00 mta1 slapd[28378]: connection_read(39): no >>>> connection! 2006-08-01T22:35:03.340+02:00 mta1 slapd[28378]: >>>> connection_read(38): no connection! >>>> >> [...] >> I'm getting these a lot with 2.3.25 when I use the "luma" client. I didn't >> investigate any further what exactly it is doing differently from ldapsearch >> or gq. >> > > I've found it generally means the client exited without the courtesy of an > unbind. > > It is strange. We get a lot of these and upping the logging verbosity reveals: Oct 3 12:42:37 custard slapd[18835]: conn=29 fd=43 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi) Oct 3 12:42:37 custard slapd[18835]: conn=29 op=0 BIND dn="" method=128 Oct 3 12:42:37 custard slapd[18835]: conn=29 op=0 RESULT tag=97 err=0 text= Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SRCH base="ou=auto.home,dc=dcs,dc=qmul,dc=ac,dc=uk" scope=2 deref=0 filter="(&(objectClass=automount)(cn=2nd))" Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SRCH attr=cn automountInformation Oct 3 12:42:37 custard slapd[18835]: conn=29 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 3 12:42:37 custard slapd[18835]: conn=29 op=2 UNBIND Oct 3 12:42:37 custard slapd[18835]: conn=29 fd=43 closed Oct 3 12:42:37 custard slapd[18835]: connection_read(43): no connection! I don't see anything wrong with the client connection, it binds anonymously, executes a search, unbinds and then closes the connection only for the server to log "no connection!". As we're seeing about 50 of these warnings every second in our log files during busy periods it's a real pain: Oct 3 12:31:38 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 15 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 2 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 2 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 9 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 4 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard last message repeated 3 times Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(96): no connection! Oct 3 12:31:39 custard slapd[20964]: connection_read(86): no connection! Oct 3 12:31:41 custard last message repeated 13 times All the errors are generated by autofs automount searches connecting over a local socket, unfortunately setting a debug level high enough to log individual function calls to get more info slows the server down to an unacceptable level. Tim -- Tim Kay Systems Programmer Department of Computer Science Queen Mary, University of London. Tel: +44 (0) 207 882 7521 Fax: +44 (0) 208 980 6533

1 0

HOWTO bind with uid only (short name)
by Brian Elliott Finley 02 Oct '06

02 Oct '06

I have a corporate white pages directory [using OpenLDAP] which requires authentication. My desire is that users, when configuring their ldap clients, will only need to put in their username and password, but I have not yet found a way to do this. Here are some details that might help: * Desired binding DN for a user: "username" * Current binding DN for a user: "uid=username,dc=example,dc=com" The directory is perfectly flat. Here are some additional OpenLDAP specifics with regard to my current authentication setup: * Passwords are backended by kerberos * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth is not feasible. * userPassword is set to "{GSSAPI}username(a)EXAMPLE.COM" * A /usr/lib/sasl2/slapd.conf file is in place, directing GSSAPI -> SASL auth requests to saslauthd * saslauthd is configured to use PAM * /etc/pam.d/ldap (the service that slapd considers itself) contains: auth required pam_krb5.so ignore_root account required pam_krb5.so ignore_root password optional pam_krb5.so ignore_root session optional pam_krb5.so ignore_root * /etc/krb5.conf contains the right bits. Using this config, users are currently able to bind and authenticate using their kerberos passwords (not tickets). I've looked into using sasl-regexp, but as that seems to change the sasl identity, not the bind DN, it does not do what we want. It also appears unnecessary in our case, as the only way I've found to do authentication with passwords against either PAM or kerberos directly, is via saslauthd, which seems to only be invokable when doing auth via userPassword set to {GSSAPI}$principal. So, in summary, I would be very interested in the solutions to following: a) how can I have a user specify a bind dn of "username" or even "uid=username". b) how can I tell OpenLDAP to authenticate with passwords directly against PAM c) how can I tell OpenLDAP to allow *anyone* who can authenticate against kerberos with a password (perhaps via PAM), without even having a per user DN, to bind. Thanks, -Brian -- Brian Elliott Finley Mobile: 630.631.6621

2 2

ppolicy.c module doesn't respect Draft policy
by LABICHE Alexandre 02 Oct '06

02 Oct '06

Hello, draft-behera-ldap-password-policy-xx.txt says: 5.3.2 pwdChangedTime This attribute specifies the last time the entry's password was changed. This is used by the password expiration policy. If this attribute does not exist, the password will never expire. And ppolicy.c overlay says contrary /* * Hmm. No password changed time on the * entry. This is odd - it should have * been provided when the attribute was added. * * However, it's possible that it could be * missing if the DIT was established via * an import process. */ Debug( LDAP_DEBUG_ANY, "ppolicy_bind: Entry %s does not have valid pwdChangedTime attribute - assuming password expired\n", e->e_name.bv_val, 0, 0); pwExpired = 1; Regards. Alexandre LABICHE

2 1

Re: TLS question
by Dennis.Hoffman＠seagate.com 02 Oct '06

02 Oct '06

The client *is* configured - (ldap.conf): .... TLS_CACERT /usr/local/etc/openldapcacert/cacert.pem TLS_REQCERT never ... The server is configured (slapd.conf): ... TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2 TLSCACertificateFIle /usr/local/etc/openldap/cacert/cacert.pem TLSCertificateFIle /usr/local/etc/openldap/server.cert TLSCertificateKeyFIle /usr/local/etc/openldap/server.key TLSVerifyClient never ..... Attached is the output of the server - indicating that the ca is still "unknown " I've tried every combination of client/server configurations I can think of, and still get the same thing - I'm not sure what I'm missing here. Thanks Dennis (See attached file: server.out) Howard Chu <hyc(a)symas.com> Sent by: To owner-openldap-so Dennis.Hoffman(a)seagate.com ftware(a)OpenLDAP.o cc rg openldap-software(a)OpenLDAP.org No Phone Info Subject Available Re: TLS question 09/29/2006 08:24 PM Dennis.Hoffman(a)seagate.com wrote: > Hello: > > I am trying to get TLS working on openldap-2.3.20. when I initiate a > search, the debug info at the server indicates "unknown_ca". According to > RFC 2246, this means that the "CA certificate could not be located or > couldn't be matched with a known, trusted CA". My question: Isn't the > slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to > trust? If so, why isn't it working? See the Admin Guide http://www.openldap.org/doc/admin23/tls.html You need to configure the client. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

3 2

Re: DB buggy after Reboot
by Matthias Spork 01 Oct '06

01 Oct '06

Hello Howard, Howard Chu schrieb: > Matthias Spork wrote: >> Howard Chu schrieb: > >>> It looks like some transactions got rolled back, probably because >>> there wasn't a recent enough checkpoint and the logs for the latest >>> transactions didn't get flushed to disk. Setting a more frequent >>> checkpoint interval would probably help. >>> Now, with "checkpoint 128 5" in my slapd.conf, it seemed to work. I reboot my Servers after one week, and the md5sum of the databases are equal. But, at one Server sometimes I had to do a "rcldap restart" to get it run (although "rcldap status" show running). May I set checkpoint in slapd.conf or in DB_CONFIG? Actually it worked in slapd.conf. Kind regards matze

1 0

timeout problems
by Csillag Tamas 01 Oct '06

01 Oct '06

Hi, I set up an ldap server three years ago in our university in order to have a single password via samba and lib???-ldap. Later on I requested an OID from IANA then created my own schema. It was working quite well. A few months ago another organization's data was migrated to ldap (it is in testing now). In the meanwhile I switched to the latest openldap release (2.3). The older setup used ldbm backend the newer one is bdb based as ldbm is gone. To get some kind of separation first I created two backends and with the help of an OpenLDAP core developer I set up slapo-glue to be able to search in both ldap suffix (needed for the mailserver which is the same for the two organization, other services are separated now). It was working, but I get weird timeouts on the mail server (it worked perfectly in the previous setup) and on the file server too. Syncrepl did not work at all so in order to get my replica back to work again I put all in one backend. Now I use a round-robin dns to distribute the load as before (slurpd replication). I tuned the indices to avoid the timeouts and ran slapindex. I get no more index_param failed messages so I suspect all the needed indices are here. But the timeouts were still here. My last hope was DB_CONFIG but it did not fix my problem. here is my DB_CONFIG: ----------------------------------- set_cachesize 0 134217728 2 #set_lg_regionmax 262144 #set_lg_bsize 2097152 #set_lg_dir /var/log/bdb # # Automatically remove log files that are no longer needed. set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from multiple # clients on systems with multiple CPU's. set_tas_spins 1 ----------------------------------- I was unable to set up set_lg_* values right so they are commented out. I have 768Mb RAM. Debian Sarge. OpenLDAP 2.3 HEAD as 2006-09-25. libdb4.2. I turned up loglevel and the message which annoyes me most is: <= bdb_index_read: failed (-30990) In db.h I found: #define DB_NOTFOUND (-30990)/* Key/data pair not found (EOF). */ but I do not know what does it mean in this context. Please tell me what to do. Thanks in advance! -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." -- Brian W. Kernighan CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2006