openldap-software October 2006

openldap-software@openldap.org

91 participants
100 discussions

Fwd: Problem in configuring SSL with openldap
by FRLinux 12 Oct '06

12 Oct '06

On 10/12/06, Monica_Rana <Monica_Rana(a)infosys.com> wrote: > > > Hi All, > > I have the following installed on solaris 8. > openLDAP 2.3.27 > openSSL 0.9.8b. > > when i try to configure using the command > env CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -I/usr/local/include/db4" > LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4" > ./configure --with-tls --with-cyrus-sasl --enable-wrappers --enable-crypt --enable-bdb > it throws the error > checking for openssl/ssl.h... yes > checking for SSL_library_init in -lssl... no > checking for ssl3_accept in -lssl... no > checking OpenSSL library version (CRL checking capability)... yes > configure: error: Could not locate TLS/SSL package. Please consider writing plain text emails, html is bad for you. Back in the days, here's what we had : setenv LDFLAGS "-L/usr/local/lib -R/usr/local/lib" setenv CPPFLAGS "-I/opt/local/include -I/usr/local/ssl/include" setenv CC "gcc" Our libssl was back then installed in /usr/local. This worked well for us. Steph

1 0

Problem in configuring SSL with openldap
by Monica_Rana 12 Oct '06

12 Oct '06

Hi All, I have the following installed on solaris 8. openLDAP 2.3.27 openSSL 0.9.8b. when i try to configure using the command env CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -I/usr/local/include/db4" LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4" ./configure --with-tls --with-cyrus-sasl --enable-wrappers --enable-crypt --enable-bdb it throws the error checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no checking OpenSSL library version (CRL checking capability)... yes configure: error: Could not locate TLS/SSL package. Please let me know what could be the possible reson behind. PFA the config.log file. Regards, Monica Rana **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***

2 1

Trying to limit acces to an attribute
by Andres Tarallo 11 Oct '06

11 Oct '06

I'm setting an OpenLDAP server, for small company For historical reason each users in ths company has two email address user@domain and user@olddomain. Both address are used for sending and receiving email Howver we want to make sure that only the user@domain ones are show in the address book of squirellmail So I thaught of an ACL like this access to attrs=mail matchingRule.regex="\@domain" by peername "ip.of.web.mail" none by * read But this seems to have no effect. I need some example or tips for debugging this problem. Thanks Andres -- A/P Andres Tarallo Universidad ORT Uruguay

2 1

Caching empty results
by Daniel Montero Motilla 11 Oct '06

11 Oct '06

Hi, I'm using 'meta' backend on openldap 2.2.26 with proxycache activated, but it is not working as I expected, let's suppose I have the following configuration: proxyattrset 0 mail postaladdress telephonenumber proxytemplate (uid=) 0 3600 If I do a search "(uid=foo)" and 'foo' user exist on the external configured ldap server, the search is cached and the next time I try that search the result is obtained from cache, but if I do a search "(uid=bar)" and there is no entry with that uid, this "negative" result is not cached, and every time I try that search, slapd translates the search to the external ldap server. Is it somehow possible to configure slapd proxycache to cache searches with no results so slapd returns the client the answer instead asking external ldap server everytime? Thanks in advance, Dani.

3 4

replacement for ldap_url_search
by Kenneth Rogers 11 Oct '06

11 Oct '06

Hi, It appears that ldap_url_search() hasn't existed since 2.0, is there a replacement for it? Or is it necessary to use ldap_url_parse and then get all the information from the LDAPURLDesc for use in the traditional initialize, bind and search calls? KR -- "Linux doesn't exist." -- Kieren O'Shaghnessy (Director of SCO Australia)

1 0

slapd replication doesn't work
by chechu chechu 10 Oct '06

10 Oct '06

hi¡¡ I have working openldap, and I want to add replication, I follow hpwtos from many maillist but it doesn't works, my slapd.conf files are: MASTER: # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema #include /etc/ldap/schema/autofs.schema #include /etc/ldap/schema/krb5-kdc.schema #include /etc/ldap/schema/unixtng.schema #include /etc/ldap/schema/krb5-kdc.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_ldbm sasl-realm IRONMAN.ES sasl-host shogun.ironman.es #################TLS/SSL#################### # Certificado firmado de una entidad certificadora y # el certificado del servidor TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem # Si desea que el cliente necesite autentificaci�, # descomente la siguiente l�ea #TLSVerifyClient demand # ... si no, descomente esta otra TLSVerifyClient never ####################################################################### # Specific Backend Directives for ldbm: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend ldbm ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type ldbm: # Database specific directives apply to this databasse until another # 'database' directive occurs database ldbm # The base of your directory in database #1 suffix "dc=ironman,dc=es" rootdn "cn=admin,dc=ironman,dc=es" rootpw secret #########REPLICA############# replica host=shinobi.ironman.es:636 tls=yes bindmethod=sasl binddn="cn=replicauser,dc=ironman,dc=es" saslmech=gssapi replogfile /var/lib/ldap/openldap-master-replog ############################## # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 # Requerido por OpenLDAP index objectclass eq index default sub index cn pres,sub,eq index sn pres,sub,eq # Requerido para soportar pdb_getsampwnam index uid pres,sub,eq # Requerido para soportar pdb_getsambapwrid() index displayName pres,sub,eq # Descomente las siguientes l�eas si est�almacenando entradas # posixAccount y posixGroup en el directorio index uidNumber eq index gidNumber eq index memberUid eq # Samba 3.* index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq # Include the access lists include /etc/ldap/slapd.access # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only #access to attrs=userPassword # by dn="cn=admin,dc=ironman,dc=es" write # by anonymous auth # by self write # by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. #access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=ironman,dc=es" write # by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=ironman,dc=es" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be ldbm too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" SLAVE # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema #include /etc/ldap/schema/autofs.schema #include /etc/ldap/schema/krb5-kdc.schema #include /etc/ldap/schema/unixtng.schema #include /etc/ldap/schema/krb5-kdc.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_ldbm sasl-realm IRONMAN.ES sasl-host shogun.ironman.es #################TLS/SSL#################### # Certificado firmado de una entidad certificadora y # el certificado del servidor TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem # Si desea que el cliente necesite autentificaci�, # descomente la siguiente l�ea #TLSVerifyClient demand # ... si no, descomente esta otra TLSVerifyClient never ####################################################################### # Specific Backend Directives for ldbm: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend ldbm ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type ldbm: # Database specific directives apply to this databasse until another # 'database' directive occurs database ldbm # The base of your directory in database #1 suffix "dc=ironman,dc=es" rootdn "cn=admin,dc=ironman,dc=es" rootpw secret #########ESCLAVO############# updatedn cn=replicauser,dc=ironman,dc=es updateref ldaps://shogun.ironman.es ############################## # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 # Requerido por OpenLDAP index objectclass eq index default sub index cn pres,sub,eq index sn pres,sub,eq # Requerido para soportar pdb_getsampwnam index uid pres,sub,eq # Requerido para soportar pdb_getsambapwrid() index displayName pres,sub,eq # Descomente las siguientes l�eas si est�almacenando entradas # posixAccount y posixGroup en el directorio #index uidNumber eq #index gidNumber eq #index memberUid eq # Samba 3.* index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq # Include the access lists #include /etc/ldap/slapd.access access to * by dn=cn=replicauser,dc=ironman,dc=es write by * read # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only #access to attrs=userPassword # by dn="cn=admin,dc=ironman,dc=es" write # by anonymous auth # by self write # by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. #access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=ironman,dc=es" write # by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=ironman,dc=es" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be ldbm too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" I add user replicauser to ldap, and I add the key to kerberos database by: kadmin.local -q "addprinc -randkey replicauser(a)IRONMAN.ES" kadmin.local -q "ktadd -k /etc/krb5.keytab.slurpd replicauser" kinit -r 7d -k -t /etc/krb5.keytab.slurpd replicauser(a)IRONMAN.ES thanks

3 2

trouble getting entry from ldap server using ldap_search_ext_s
by Erich Titl 09 Oct '06

09 Oct '06

Hi everybody I am trying to fix an authentication plugin for openvpn using the openldap library. I am new to the library, so I may lack some understanding. Here is the situation The openldap version is 2.3.27 If I try to find a user with a base dn of "ou=mnd999,dc=asp,dc=ruf,dc=ch" which is the correct base dn for this user, the operation works correctly. If I just use "dc=asp,dc=ruf,dc=ch" the operation times out. I am using subtree search and I can see on a packet dump on the line that there is a reply from the ldap server. The difference between the replies is that in the case of the correct DN just a search entry and a search result message is returned, whereas in the case of the incomplete DN a search entry, a number of search result references end a search result are returned. In both cases, the search result yields success. The code calls if ((err = ldap_search_ext_s(ldapConn, [base cString], LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL, &timeout, 5000, &res)) != LDAP_SUCCESS) { [TRLog error: "LDAP search failed: %d: %s", err, ldap_err2string(err)]; goto finish; } This call times out and returns -5. I can provide tcpdump files if needed. Thanks Erich

3 6

Re: DB buggy after Reboot
by Matthias Spork 08 Oct '06

08 Oct '06

Hallo Howard, thanks for your help. After a couple of days, it will be like before. Pleae look at my directory-listing for my database, why there are no changes the last days? Sep 24 18:53 DB_CONFIG Oct 1 21:09 __db.001 Oct 1 21:09 __db.002 Oct 1 21:09 __db.003 Oct 1 21:09 __db.004 Oct 1 21:09 __db.005 Oct 4 20:02 alock Oct 1 20:58 dn2id.bdb Oct 1 20:58 gidNumber.bdb Oct 1 21:09 id2entry.bdb Oct 1 20:58 memberUid.bdb Oct 1 20:58 objectClass.bdb Sep 28 09:38 sambaDomainName.bdb Oct 1 20:58 sambaPrimaryGroupSID.bdb Oct 1 20:58 sambaSID.bdb Sep 28 09:38 sn.bdb Sep 24 18:54 transactionlog Oct 1 20:58 uid.bdb Matthias Howard Chu schrieb: > Matthias Spork wrote: >> Howard Chu schrieb: > >>> It looks like some transactions got rolled back, probably because >>> there wasn't a recent enough checkpoint and the logs for the latest >>> transactions didn't get flushed to disk. Setting a more frequent >>> checkpoint interval would probably help. >>> >> How could I set this checkpoints? > > You could read the slapd-bdb(5) manpage. >

2 4

A Few Newbie Questions...
by Ted Johnson 07 Oct '06

07 Oct '06

Hi; I've just read the documentation twice and still have a few questions that should be relatively easy to answer: The following should be put in DB_CONFIG, but where is that file?? olcDbConfig: set_cachesize 0 10485760 0 olcDbConfig: set_lg_bsize 2097512 olcDbConfig: set_lg_dir /var/tmp/bdb-log olcDbConfig: set_flags DB_LOG_AUTOREMOVE What do these attibutes mean, how are they applicable and why would I want to index them? I understand SQL notation. Could someone give me a similar example? pres (present),eq (equality),approx (approximate),sub (substring) This line causes an equality index for the objectClass attribute type, but what does that mean? Can you give me an example? index objectClass eq Why does one define this: dn: cn="example" and later in the same entry define this: cn=example Can one preface non-Standard Track names with numbers or number/letter combinations? TIA, Ted2 --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.

4 3

RE: Write to Disk?
by Golden Butler 06 Oct '06

06 Oct '06

I'm running openldap version 2.2.24 which is the version that ships with SLES9 SP3. How do I determine which backend is being used? - Golden -----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@stanford.edu] Sent: Friday, October 06, 2006 2:12 PM To: Golden Butler;openldap-software(a)openldap.org Subject: Re: Write to Disk? --On Friday, October 06, 2006 11:46 AM -0500 Golden Butler <golden(a)cnt.org> wrote: > > > Yesterday, we lost power due to an power outage and our openldap server > went down. When power was restored and the server was back up, > > I noticed that a lot of entries that I have entered over a period of time > (about two months) were gone! Is there a way to ensure that openldap > write changes to the database to disk instantly? Any help or suggestions > would be greatly appreciated, thanks. Hi, You don't say what backend you are using, but I'll assume bdb or hdb, since you don't want to use ldbm. See the "checkpoint" directive in the slapd-bdb(5) man page. This issue has been discussed many many times on the software list. Of course, I recommend you be using OpenLDAP 2.3 as well, since IIRC, the checkpoint directive didn't function entirely as intended in OpenLDAP 2.2. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

3 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2006