Upcoming talks
by Howard Chu
Besides the OpenLDAP Developer's Day next week, I'll be doing another
LDAP Guru Session at this year's LISA Conference in Washington D.C.
Come on by with any puzzling questions about LDAP you might have...
------------------------------------------------------------------------ ---
WHAT: LISA '06 - The 20th Large Installation System Administration
Conference
WHEN: December 3-8, 2006 WHERE: Washington, D.C.
WHO: System Administrators, Network Administrators, CIOs, CTOs,
Researchers, Tool Providers, Support and Help Desk
personnel, etc.
WHY: To get to and stay on the cutting edge of computer system
administration
HOW: http://www.usenix.org/lisa06/progm
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
16 years, 12 months
Write to Disk?
by Golden Butler
Yesterday, we lost power due to an power outage and our openldap server went down. When power was restored and the server was back up,
I noticed that a lot of entries that I have entered over a period of time (about two months) were gone! Is there a way to ensure that openldap write changes to the database to disk instantly? Any help or suggestions would be greatly appreciated, thanks.
- Golden
16 years, 12 months
Problems with openldap replication with slurpd. "unknown error"
by Roman Yushin
Problems with openldap replication with slurpd
Hi. Trying to make openldap replication
Master server is openldap 2.0.27_3, slave server is openldap 2.2.30
Using stunnel to get acces to slave ldap
master:localhost:636 -> stunnel -> slave:127.0.0.1:389
Master server config
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 64
atabase ldbm
cachesize 10000
dbcachesize 1000000
threads 128
dbnosync
dbsync 2 12 5
sizelimit 10000
suffix "o=campus,c=ru"
rootdn "cn=Manager,o=campus,c=ru"
rootpw {SSHA}password1
directory /var/db/openldap-ldbm
replogfile /var/log/slurpd.replog
replica host=127.0.0.1:636
binddn="cn=replicator,o=campus,c=ru"
bindmethod=simple
credentials=bind_password
index objectClass eq
index uid pres,eq
index rid eq
index uidNumber eq
index gidNumber eq
index cn eq,subinitial
index memberUid eq
index gecos eq
index description eq
index default sub
access to attr=userPassword,lmPassword,ntPassword
by self write
by * auth
access to *
by * read
-----------------------------------------------------
Slave LDAP config
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 64
database bdb
suffix "o=campus,c=ru"
rootdn "cn=Manager,o=campus,c=ru"
rootpw {SSHA}paasswoord2
directory /var/db/openldap-data
index objectClass eq
index uid pres,eq
index rid eq
index uidNumber eq
index gidNumber eq
index cn eq
index memberUid eq
index gecos eq
index description eq
index default sub
access to *
by dn="cn=replicator,o=campus,c=ru" write
by * read
First, i am doing "slapcat" at master server and adding LDIFF file to
SLAVE ldap.
Then i turning on replication by adding lines
updatedn "cn=replicator,o=campus,c=ru"
updateref ldap://127.0.0.1:636
to the slave config file.
Master has no runnig slurpd. I am adding new samba user at master and
receiving replog file.
Running daemon slurpd at master i receiving "unknown error" then adding
new user at slave.
But when i changes something at existent users
(password,description,etc) - it replies to slave! Coult you help me to
find bug with replica then adding user?
Here is some files:
slurpd.replog
replica: 127.0.0.1:636
time: 1160060587.0
dn: uid=test0981,ou=People,o=campus,c=ru
changetype: add
objectClass: top
objectClass: account
objectClass: posixAccount
cn: test0981
uid: test0981
uidNumber: 11686
gidNumber: 545
homeDirectory: /home/test0981
loginShell: /usr/bin/false
gecos: System User
description: System User
userPassword:: e2NyeXB0fXg=
creatorsName: cn=Manager,o=campus,c=ru
createTimestamp: 20061005150306Z
modifiersName: cn=Manager,o=campus,c=ru
modifyTimestamp: 20061005150306Z
replica: 127.0.0.1:636
time: 1160060596
dn: uid=test0981,ou=People,o=campus,c=ru
changetype: modify
replace: objectClass
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaAccount
-
replace: logonTime
logonTime: 0
-
replace: logoffTime
logoffTime: 2147483647
-
...
...
127.0.0.1:636.rej
ERROR: Unknown error
replica: 127.0.0.1:636
time: 1160057891.0
dn: uid=test6789,ou=People,o=campus,c=ru
changetype: add
objectClass: top
objectClass: account
objectClass: posixAccount
cn: test6789
uid: test6789
uidNumber: 11685
gidNumber: 545
homeDirectory: /home/test6789
loginShell: /usr/bin/false
gecos: System User
description: System User
userPassword:: e2NyeXB0fXg=
creatorsName: cn=Manager,o=campus,c=ru
createTimestamp: 20061005141804Z
modifiersName: cn=Manager,o=campus,c=ru
modifyTimestamp: 20061005141804Z
ERROR: No such object
replica: 127.0.0.1:636
time: 1160057921.0
dn: uid=test6789,ou=People,o=campus,c=ru
changetype: modify
replace: objectClass
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaAccount
-
...
...
slurpd -d 64
output:
...<skip> ...
Config: (directory /var/db/openldap-ldbm)
Config: (replogfile /var/log/slurpd.replog)
Config: (replica host=127.0.0.1:636
binddn="cn=replicator,o=campus,c=ru"
bindmethod=simple
credentials=campus_replicator
)
Config: ** successfully added replica "127.0.0.1:636"
Config: (index objectClass eq)
Config: (index uid pres,eq)
Config: (index rid eq)
Config: (index uidNumber eq)
Config: (index gidNumber eq)
Config: (index cn eq,subinitial)
Config: (index memberUid eq)
Config: (index gecos eq)
Config: (index description eq)
Config: (index default sub)
Config: (access to attr=userPassword,lmPassword,ntPassword by self
write by * auth)
Config: (access to * by * read)
Config: ** configuration file successfully read and parsed
ber_flush: 58 bytes to sd 8
request 1 done
ber_flush: 418 bytes to sd 8
request 2 done
...
...
request 6 done
Error: ldap_add_s failed adding "Unknown error":
uid=test6789,ou=People,o=campus,c=ru
Error: ldap operation failed, data written to
"/var/db/openldap-slurp/replica/127.0.0.1:636.rej"
ber_flush: 51784 bytes to sd 8
request 7 done
ber_flush: 471 bytes to sd 8
request 8 done
Error: ldap_modify_s failed modifying "No such object":
uid=test6789,ou=People,o=campus,c=ru
Error: ldap operation failed, data written to
"/var/db/openldap-slurp/replica/127.0.0.1:636.rej"
ber_flush: 418 bytes to sd 8
request 9 done
Error: ldap_modify_s failed modifying "No such object":
uid=test6789,ou=People,o=campus,c=ru
Error: ldap operation failed, data written to
"/var/db/openldap-slurp/replica/127.0.0.1:636.rej"
ber_flush: 315 bytes to sd 8
request 10 done
...
WBR, Yushin Roman
16 years, 12 months
Re: Can't use SSL session
by Dan O'Reilly
At 06:41 PM 10/5/2006, Hai Zaar wrote:
>On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote:
>>Using ldapsearch on a VMS system to attempt to do a directory lookup using
>>SSL to a non-OpenLDAP directory on another system. I verified the root CA
>>certificate is correct using:
>>
>>
>>Any ideas? I've been pulling my hair out over this for a couple weeks
>>now. If I do this same search using port 389 and no SSL it works correctly.
>What does slapd log show regarding this connection?
>
>Did you try SSL on port 389 (i.e. StartTSL) - you can imply it by
>specifying "-ZZZ" and "-p 389"
$ ldapsearch "-ZZZ" -p 389 -d 255 -s base -x -w xxxxxxxx -v "-D"
"cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com"
-b"cn=Users,dc=altdomain2000,d
c=psccos,dc=com" -h adtest.altdomain2000.psccos.com
"(&(objectclass=user)(sAMAccountName=oreilly))"
ldap_initialize( ldap://adtest.altdomain2000.psccos.com:389 )
ldap_create
ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.27:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 43B028 msgid 1
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
wait4msg ld 43B028 msgid 1 (infinite timeout)
wait4msg continue ld 43B028 msgid 1 all 1
** ld 43B028 Connections:
* host: adtest.altdomain2000.psccos.com port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Oct 5 21:34:49 2006
** ld 43B028 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 43B028 Response Queue:
Empty
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
ldap_int_select
read1msg: ld 43B028 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 00 16 02 01 0.......
ldap_read: want=20, got=20
0000: 01 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 .x.....0........
0010: 04 00 04 00 ....
ber_get_next: tag 0x30 len 22 contents:
ber_dump: buf=0x0043ec68 ptr=0x0043ec68 end=0x0043ec7e len=22
0000: 02 01 01 78 84 00 00 00 0d 30 84 00 00 00 07 0a ...x.....0......
0010: 01 02 04 00 04 00 ......
read1msg: ld 43B028 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x0043ec68 ptr=0x0043ec6b end=0x0043ec7e len=19
0000: 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 04 x.....0.........
0010: 00 04 00 ...
read1msg: ld 43B028 0 new referrals
read1msg: mark request completed, ld 43B028 msgid 1
request done: ld 43B028 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x0043ec68 ptr=0x0043ec6b end=0x0043ec7e len=19
0000: 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 04 x.....0.........
0010: 00 04 00 ...
ldap_msgfree
ldap_perror
ldap_start_tls: Decoding error (-4)
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
16 years, 12 months
Re: Can't use SSL session
by Dan O'Reilly
At 09:01 AM 10/6/2006, Hai Zaar wrote:
>On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote:
>>At 06:41 PM 10/5/2006, Hai Zaar wrote:
>> >On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote:
>> >>Using ldapsearch on a VMS system to attempt to do a directory lookup using
>> >>SSL to a non-OpenLDAP directory on another system. I verified the root CA
>> >>certificate is correct using:
>> >>
>> >>
>> >>Any ideas? I've been pulling my hair out over this for a couple weeks
>> >>now. If I do this same search using port 389 and no SSL it works
>> correctly.
>> >What does slapd log show regarding this connection?
>
>Ok. So what is there in the slapd logs?
Well, nothing, because I'm going to an LDAP server on another system. But
I did finally get it working late last night/early this morning thanks to a
couple tips I received here. The big issue was making sure I was using the
"-H" option with a URI rather than using a combination of the "-p" and "-h"
options in ldapsearch.
But thanks for the offer to help, and a big thanks to those who recommended
the solution to me!
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
16 years, 12 months
Can't use SSL session
by Dan O'Reilly
Using ldapsearch on a VMS system to attempt to do a directory lookup using
SSL to a non-OpenLDAP directory on another system. I verified the root CA
certificate is correct using:
$ openssl s_client -connect adtest:636 "-CAfile" test_root_ca.pem
My LDAP.CONF file contains:
TLS_CHECKPEER no
BIND_POLICY soft
TLS_REQCERT never
TLS_CACERT RAPTOR$DKA0:[OREILLY.KEYS]TEST_ROOT_CA.PEM
What happens is below:
$ ldapsearch "-ZZ" -p 636 -d 255 -s base -x -w xxxxxxxxx -v "-D"
"cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com"
-b"cn=Users,dc=altdomain2000,dc
=psccos,dc=com" -h adtest.altdomain2000.psccos.com
"(&(objectclass=user)(sAMAccountName=oreilly))"
ldap_initialize( ldap://adtest.altdomain2000.psccos.com:636 )
ldap_create
ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.27:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 43B028 msgid 1
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
wait4msg ld 43B028 msgid 1 (infinite timeout)
wait4msg continue ld 43B028 msgid 1 all 1
** ld 43B028 Connections:
* host: adtest.altdomain2000.psccos.com port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Oct 5 16:32:20 2006
** ld 43B028 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 43B028 Response Queue:
Empty
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
ldap_int_select
read1msg: ld 43B028 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
Any ideas? I've been pulling my hair out over this for a couple weeks
now. If I do this same search using port 389 and no SSL it works correctly.
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
16 years, 12 months
How do I fix issues of really poor performance
by Rob Tanner
Hi,
I'm replacing an old Netscape server running on a 296 MHz dual processor
Solaris 5.7 (sun4u sparc) box with OpenLDAP 2.3.27 running on a single
2.4GHz processor Intel box running Fedora Core 4. I have duplicated one
of my hierarchies -- approx 9000 entries. There is an index on an
attribute called deptaffiliationcodes (on both systems) which I'm using
as a search filter to make sure everything is working. Dumping the
results to /dev/null, a search on the Netscape server takes typically 35
milliseconds to complete. The exact same search on the OpenLDAP server
takes between 2.5 to 3.5 seconds. And that's way too slow for me to put
the OpenLDAP server into production.
I am using the bdb backend and the example DB_CONFIG file which sets the
cache size to 268435456 bytes, which is bigger than the actual size of
dn2id.bdb and id2entry.bdb combined (about 16Mb). What other factors
can affect performance?
Any help would be most appreciated.
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
16 years, 12 months
need transactions in openldap 2.3.*
by Dmitriy Kirhlarov
Hi, list
Now we are using ldap-tree for auth several services on many hosts.
We have two types of admins (admin1 and admin2 roles) and I want
separate permissions:
- admin1 can edit cn=usergroup1, but can't edit cn=usergroup2.
- admin2 can edit both.
(I know how I can do it).
Next.
User can be registered in both groups, or just in one.
We are developing our own ldap admin-tool for usermanagement.
When user gone, we removing his id from all groups and lock his
account. Usualy, this is work for admin1.
We need this behavior of our tool:
If we can't remove user id from some group (inusufficient access), we
do nothing. Just answer to admin1 "You can't remove user from group2
-- ask admin2".
For this behavior we need either transactions or some easy way to
check our access rights for all entries which we want to modify.
Afaik, transactions are not feasible for our case.
What about checking access rights on client side without performing
modification itself?
WBR
--
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.208 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com
16 years, 12 months
hdb and subtree deletion
by johan.jonemo@hep.lu.se
After having seen Howard Chu's slides about back-hdb from March 21, 2003,
I have the impression that deleting a subtree can be done in O(constant)
time. I haven't however understood how.
Question: How does one delete a subtree in a hdb directory?
I have tried deleting the top node, but the server doesn't let me do that.
On a slightly related note. I think many users would like the "OpenLDAP
Software Administrator's Guide" to contain sections about the different
modules (both backends and overlays) like it does about proxy-cache. I
think it would be a great help even if they were ever so short. This is of
course not said to critisize the guide as it stands today but rather as a
suggestion for a contribution to anyone who feel they have the
prerequisite knowledge.
Johan Jönemo
16 years, 12 months
How to migrate MS - Active Directory to Linux OpenLDAP
by Raghu Ni
Hi,
We are trying into migrate from Active Directory to Open LDAP. But, we
getting problems with Schema Attributes. Can any one help us in this ?
Here, migrating means "NOT delegating Active Directory Services to
Open LDAP" or/and authenticating Linux system with micro soft Active
Directory services. We are looking for a solution, throgh which we can
replace the existing Active Directory Service with Open LDAP server in
linux ( We want import schems in Active Direcotory into Open LDAP). We
know that, schema attributes for both the services are different.
RaghuNi.
16 years, 12 months