October 2006 - openldap-software

by Howard Chu

Besides the OpenLDAP Developer's Day next week, I'll be doing another LDAP Guru Session at this year's LISA Conference in Washington D.C. Come on by with any puzzling questions about LDAP you might have... ------------------------------------------------------------------------ --- WHAT: LISA '06 - The 20th Large Installation System Administration Conference WHEN: December 3-8, 2006 WHERE: Washington, D.C. WHO: System Administrators, Network Administrators, CIOs, CTOs, Researchers, Tool Providers, Support and Help Desk personnel, etc. WHY: To get to and stay on the cutting edge of computer system administration HOW: http://www.usenix.org/lisa06/progm -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

16 years, 12 months

1
0
0 / 0

Write to Disk?

by Golden Butler

Yesterday, we lost power due to an power outage and our openldap server went down. When power was restored and the server was back up, I noticed that a lot of entries that I have entered over a period of time (about two months) were gone! Is there a way to ensure that openldap write changes to the database to disk instantly? Any help or suggestions would be greatly appreciated, thanks. - Golden

16 years, 12 months

5
7
0 / 0

Problems with openldap replication with slurpd. "unknown error"

by Roman Yushin

Problems with openldap replication with slurpd Hi. Trying to make openldap replication Master server is openldap 2.0.27_3, slave server is openldap 2.2.30 Using stunnel to get acces to slave ldap master:localhost:636 -> stunnel -> slave:127.0.0.1:389 Master server config include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 64 atabase ldbm cachesize 10000 dbcachesize 1000000 threads 128 dbnosync dbsync 2 12 5 sizelimit 10000 suffix "o=campus,c=ru" rootdn "cn=Manager,o=campus,c=ru" rootpw {SSHA}password1 directory /var/db/openldap-ldbm replogfile /var/log/slurpd.replog replica host=127.0.0.1:636 binddn="cn=replicator,o=campus,c=ru" bindmethod=simple credentials=bind_password index objectClass eq index uid pres,eq index rid eq index uidNumber eq index gidNumber eq index cn eq,subinitial index memberUid eq index gecos eq index description eq index default sub access to attr=userPassword,lmPassword,ntPassword by self write by * auth access to * by * read ----------------------------------------------------- Slave LDAP config include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 64 database bdb suffix "o=campus,c=ru" rootdn "cn=Manager,o=campus,c=ru" rootpw {SSHA}paasswoord2 directory /var/db/openldap-data index objectClass eq index uid pres,eq index rid eq index uidNumber eq index gidNumber eq index cn eq index memberUid eq index gecos eq index description eq index default sub access to * by dn="cn=replicator,o=campus,c=ru" write by * read First, i am doing "slapcat" at master server and adding LDIFF file to SLAVE ldap. Then i turning on replication by adding lines updatedn "cn=replicator,o=campus,c=ru" updateref ldap://127.0.0.1:636 to the slave config file. Master has no runnig slurpd. I am adding new samba user at master and receiving replog file. Running daemon slurpd at master i receiving "unknown error" then adding new user at slave. But when i changes something at existent users (password,description,etc) - it replies to slave! Coult you help me to find bug with replica then adding user? Here is some files: slurpd.replog replica: 127.0.0.1:636 time: 1160060587.0 dn: uid=test0981,ou=People,o=campus,c=ru changetype: add objectClass: top objectClass: account objectClass: posixAccount cn: test0981 uid: test0981 uidNumber: 11686 gidNumber: 545 homeDirectory: /home/test0981 loginShell: /usr/bin/false gecos: System User description: System User userPassword:: e2NyeXB0fXg= creatorsName: cn=Manager,o=campus,c=ru createTimestamp: 20061005150306Z modifiersName: cn=Manager,o=campus,c=ru modifyTimestamp: 20061005150306Z replica: 127.0.0.1:636 time: 1160060596 dn: uid=test0981,ou=People,o=campus,c=ru changetype: modify replace: objectClass objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaAccount - replace: logonTime logonTime: 0 - replace: logoffTime logoffTime: 2147483647 - ... ... 127.0.0.1:636.rej ERROR: Unknown error replica: 127.0.0.1:636 time: 1160057891.0 dn: uid=test6789,ou=People,o=campus,c=ru changetype: add objectClass: top objectClass: account objectClass: posixAccount cn: test6789 uid: test6789 uidNumber: 11685 gidNumber: 545 homeDirectory: /home/test6789 loginShell: /usr/bin/false gecos: System User description: System User userPassword:: e2NyeXB0fXg= creatorsName: cn=Manager,o=campus,c=ru createTimestamp: 20061005141804Z modifiersName: cn=Manager,o=campus,c=ru modifyTimestamp: 20061005141804Z ERROR: No such object replica: 127.0.0.1:636 time: 1160057921.0 dn: uid=test6789,ou=People,o=campus,c=ru changetype: modify replace: objectClass objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaAccount - ... ... slurpd -d 64 output: ...<skip> ... Config: (directory /var/db/openldap-ldbm) Config: (replogfile /var/log/slurpd.replog) Config: (replica host=127.0.0.1:636 binddn="cn=replicator,o=campus,c=ru" bindmethod=simple credentials=campus_replicator ) Config: ** successfully added replica "127.0.0.1:636" Config: (index objectClass eq) Config: (index uid pres,eq) Config: (index rid eq) Config: (index uidNumber eq) Config: (index gidNumber eq) Config: (index cn eq,subinitial) Config: (index memberUid eq) Config: (index gecos eq) Config: (index description eq) Config: (index default sub) Config: (access to attr=userPassword,lmPassword,ntPassword by self write by * auth) Config: (access to * by * read) Config: ** configuration file successfully read and parsed ber_flush: 58 bytes to sd 8 request 1 done ber_flush: 418 bytes to sd 8 request 2 done ... ... request 6 done Error: ldap_add_s failed adding "Unknown error": uid=test6789,ou=People,o=campus,c=ru Error: ldap operation failed, data written to "/var/db/openldap-slurp/replica/127.0.0.1:636.rej" ber_flush: 51784 bytes to sd 8 request 7 done ber_flush: 471 bytes to sd 8 request 8 done Error: ldap_modify_s failed modifying "No such object": uid=test6789,ou=People,o=campus,c=ru Error: ldap operation failed, data written to "/var/db/openldap-slurp/replica/127.0.0.1:636.rej" ber_flush: 418 bytes to sd 8 request 9 done Error: ldap_modify_s failed modifying "No such object": uid=test6789,ou=People,o=campus,c=ru Error: ldap operation failed, data written to "/var/db/openldap-slurp/replica/127.0.0.1:636.rej" ber_flush: 315 bytes to sd 8 request 10 done ... WBR, Yushin Roman

16 years, 12 months

3
5
0 / 0

Re: Can't use SSL session

by Dan O'Reilly

At 06:41 PM 10/5/2006, Hai Zaar wrote: >On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote: >>Using ldapsearch on a VMS system to attempt to do a directory lookup using >>SSL to a non-OpenLDAP directory on another system. I verified the root CA >>certificate is correct using: >> >> >>Any ideas? I've been pulling my hair out over this for a couple weeks >>now. If I do this same search using port 389 and no SSL it works correctly. >What does slapd log show regarding this connection? > >Did you try SSL on port 389 (i.e. StartTSL) - you can imply it by >specifying "-ZZZ" and "-p 389" $ ldapsearch "-ZZZ" -p 389 -d 255 -s base -x -w xxxxxxxx -v "-D" "cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com" -b"cn=Users,dc=altdomain2000,d c=psccos,dc=com" -h adtest.altdomain2000.psccos.com "(&(objectclass=user)(sAMAccountName=oreilly))" ldap_initialize( ldap://adtest.altdomain2000.psccos.com:389 ) ldap_create ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.27:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 43B028 msgid 1 ldap_chkResponseList ld 43B028 msgid 1 all 1 ldap_chkResponseList returns ld 43B028 NULL wait4msg ld 43B028 msgid 1 (infinite timeout) wait4msg continue ld 43B028 msgid 1 all 1 ** ld 43B028 Connections: * host: adtest.altdomain2000.psccos.com port: 389 (default) refcnt: 2 status: Connected last used: Thu Oct 5 21:34:49 2006 ** ld 43B028 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 43B028 Response Queue: Empty ldap_chkResponseList ld 43B028 msgid 1 all 1 ldap_chkResponseList returns ld 43B028 NULL ldap_int_select read1msg: ld 43B028 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 84 00 00 00 16 02 01 0....... ldap_read: want=20, got=20 0000: 01 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 .x.....0........ 0010: 04 00 04 00 .... ber_get_next: tag 0x30 len 22 contents: ber_dump: buf=0x0043ec68 ptr=0x0043ec68 end=0x0043ec7e len=22 0000: 02 01 01 78 84 00 00 00 0d 30 84 00 00 00 07 0a ...x.....0...... 0010: 01 02 04 00 04 00 ...... read1msg: ld 43B028 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x0043ec68 ptr=0x0043ec6b end=0x0043ec7e len=19 0000: 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 04 x.....0......... 0010: 00 04 00 ... read1msg: ld 43B028 0 new referrals read1msg: mark request completed, ld 43B028 msgid 1 request done: ld 43B028 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x0043ec68 ptr=0x0043ec6b end=0x0043ec7e len=19 0000: 78 84 00 00 00 0d 30 84 00 00 00 07 0a 01 02 04 x.....0......... 0010: 00 04 00 ... ldap_msgfree ldap_perror ldap_start_tls: Decoding error (-4) ------ +-------------------------------+----------------------------------------+ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer | world: those who understand binary | | Process Software | and those who don't." | | http://www.process.com | | +-------------------------------+----------------------------------------+

16 years, 12 months

3
2
0 / 0

Re: Can't use SSL session

by Dan O'Reilly

At 09:01 AM 10/6/2006, Hai Zaar wrote: >On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote: >>At 06:41 PM 10/5/2006, Hai Zaar wrote: >> >On 10/6/06, Dan O'Reilly <dano(a)process.com> wrote: >> >>Using ldapsearch on a VMS system to attempt to do a directory lookup using >> >>SSL to a non-OpenLDAP directory on another system. I verified the root CA >> >>certificate is correct using: >> >> >> >> >> >>Any ideas? I've been pulling my hair out over this for a couple weeks >> >>now. If I do this same search using port 389 and no SSL it works >> correctly. >> >What does slapd log show regarding this connection? > >Ok. So what is there in the slapd logs? Well, nothing, because I'm going to an LDAP server on another system. But I did finally get it working late last night/early this morning thanks to a couple tips I received here. The big issue was making sure I was using the "-H" option with a URI rather than using a combination of the "-p" and "-h" options in ldapsearch. But thanks for the offer to help, and a big thanks to those who recommended the solution to me! ------ +-------------------------------+----------------------------------------+ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer | world: those who understand binary | | Process Software | and those who don't." | | http://www.process.com | | +-------------------------------+----------------------------------------+

16 years, 12 months

1
0
0 / 0

Can't use SSL session

by Dan O'Reilly

Using ldapsearch on a VMS system to attempt to do a directory lookup using SSL to a non-OpenLDAP directory on another system. I verified the root CA certificate is correct using: $ openssl s_client -connect adtest:636 "-CAfile" test_root_ca.pem My LDAP.CONF file contains: TLS_CHECKPEER no BIND_POLICY soft TLS_REQCERT never TLS_CACERT RAPTOR$DKA0:[OREILLY.KEYS]TEST_ROOT_CA.PEM What happens is below: $ ldapsearch "-ZZ" -p 636 -d 255 -s base -x -w xxxxxxxxx -v "-D" "cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com" -b"cn=Users,dc=altdomain2000,dc =psccos,dc=com" -h adtest.altdomain2000.psccos.com "(&(objectclass=user)(sAMAccountName=oreilly))" ldap_initialize( ldap://adtest.altdomain2000.psccos.com:636 ) ldap_create ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:636) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.27:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 43B028 msgid 1 ldap_chkResponseList ld 43B028 msgid 1 all 1 ldap_chkResponseList returns ld 43B028 NULL wait4msg ld 43B028 msgid 1 (infinite timeout) wait4msg continue ld 43B028 msgid 1 all 1 ** ld 43B028 Connections: * host: adtest.altdomain2000.psccos.com port: 636 (default) refcnt: 2 status: Connected last used: Thu Oct 5 16:32:20 2006 ** ld 43B028 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 43B028 Response Queue: Empty ldap_chkResponseList ld 43B028 msgid 1 all 1 ldap_chkResponseList returns ld 43B028 NULL ldap_int_select read1msg: ld 43B028 msgid 1 all 1 ber_get_next ldap_read: want=8, got=0 ber_get_next failed. ldap_perror ldap_start_tls: Can't contact LDAP server (-1) Any ideas? I've been pulling my hair out over this for a couple weeks now. If I do this same search using port 389 and no SSL it works correctly. ------ +-------------------------------+----------------------------------------+ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer | world: those who understand binary | | Process Software | and those who don't." | | http://www.process.com | | +-------------------------------+----------------------------------------+

16 years, 12 months

3
2
0 / 0

How do I fix issues of really poor performance

by Rob Tanner

Hi, I'm replacing an old Netscape server running on a 296 MHz dual processor Solaris 5.7 (sun4u sparc) box with OpenLDAP 2.3.27 running on a single 2.4GHz processor Intel box running Fedora Core 4. I have duplicated one of my hierarchies -- approx 9000 entries. There is an index on an attribute called deptaffiliationcodes (on both systems) which I'm using as a search filter to make sure everything is working. Dumping the results to /dev/null, a search on the Netscape server takes typically 35 milliseconds to complete. The exact same search on the OpenLDAP server takes between 2.5 to 3.5 seconds. And that's way too slow for me to put the OpenLDAP server into production. I am using the bdb backend and the example DB_CONFIG file which sets the cache size to 268435456 bytes, which is bigger than the actual size of dn2id.bdb and id2entry.bdb combined (about 16Mb). What other factors can affect performance? Any help would be most appreciated. Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR

16 years, 12 months

4
4
0 / 0

need transactions in openldap 2.3.*

by Dmitriy Kirhlarov

Hi, list Now we are using ldap-tree for auth several services on many hosts. We have two types of admins (admin1 and admin2 roles) and I want separate permissions: - admin1 can edit cn=usergroup1, but can't edit cn=usergroup2. - admin2 can edit both. (I know how I can do it). Next. User can be registered in both groups, or just in one. We are developing our own ldap admin-tool for usermanagement. When user gone, we removing his id from all groups and lock his account. Usualy, this is work for admin1. We need this behavior of our tool: If we can't remove user id from some group (inusufficient access), we do nothing. Just answer to admin1 "You can't remove user from group2 -- ask admin2". For this behavior we need either transactions or some easy way to check our access rights for all entries which we want to modify. Afaik, transactions are not feasible for our case. What about checking access rights on client side without performing modification itself? WBR -- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 495 105 7247 ext.208 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com OILspace - The resource enriched - www.oilspace.com

16 years, 12 months

4
3
0 / 0

hdb and subtree deletion

by johan.jonemo＠hep.lu.se

After having seen Howard Chu's slides about back-hdb from March 21, 2003, I have the impression that deleting a subtree can be done in O(constant) time. I haven't however understood how. Question: How does one delete a subtree in a hdb directory? I have tried deleting the top node, but the server doesn't let me do that. On a slightly related note. I think many users would like the "OpenLDAP Software Administrator's Guide" to contain sections about the different modules (both backends and overlays) like it does about proxy-cache. I think it would be a great help even if they were ever so short. This is of course not said to critisize the guide as it stands today but rather as a suggestion for a contribution to anyone who feel they have the prerequisite knowledge. Johan Jönemo

16 years, 12 months

3
2
0 / 0

How to migrate MS - Active Directory to Linux OpenLDAP

by Raghu Ni

Hi, We are trying into migrate from Active Directory to Open LDAP. But, we getting problems with Schema Attributes. Can any one help us in this ? Here, migrating means "NOT delegating Active Directory Services to Open LDAP" or/and authenticating Linux system with micro soft Active Directory services. We are looking for a solution, throgh which we can replace the existing Active Directory Service with Open LDAP server in linux ( We want import schems in Active Direcotory into Open LDAP). We know that, schema attributes for both the services are different. RaghuNi.

16 years, 12 months

5
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2006