Re: Problem with replica.
by Pierangelo Masarati
Please keep replies on the mailing list.
Paul Shevtsov wrote:
> On Tue, Nov 14, 2006 at 06:12:18PM +0100, Pierangelo Masarati wrote:
>
>> Apparently, your client tries to chase referrals anonymously, and this
>> fails as expected. I don't see any software malfunction here (on the
>> OpenLDAP side, at least); there might be a missing or misimplemented
>> feature in the client, though.
>>
>
> Ok. I try on slave side
> Client message
> -------------------------------------------------------------------------
> #ldapadd -W -x -D "cn=root,dc=dgb,dc=local" -f bbb1.ldif
> #Enter password:
> adding new entry "uid=bbb1,ou=users,dc=dgb,dc=local"
> ldap_add: Referral (10)
> refferals:
> ldap://ldap.dgb.local/uid=bbb1,ou=users,dc=dgb,dc=local
> -------------------------------------------------------------------------
> Server message (loglevel stats sycn)
> -------------------------------------------------------------------------
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 ACCEPT from IP=127.0.0.1:61526 (IP=0.0.0.0:389)
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND dn="cn=root,dc=dgb,dc=local" method=128
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 RESULT tag=97 err=0 text=
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 ADD dn="uid=bbb1,ou=users,dc=dgb,dc=local"
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 RESULT tag=105 err=10 text=
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=2 UNBIND
> Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 closed
> ---------------------------------------------------------------------------
> And from master side i look tcmpdump and not received any
> packets.
> This is native ldapadd. :(
>
This question has been asked (and answered!) so many times... OpenLDAP
tools solve the problem of authenticated referral chasing by delegating
it to the user. They simply return a referral and don't even try to
chase it anonymously (as supposed to be useless for writes) nor by
propagating credentials to the referred DSA (it would be a very poor
decision, as the client has no means to determine whether the referred
DSA is trusted or not; or, whenever distributed authentication is
implemented, it is very likely that the referred DSA has no means to
authenticate an otherwise valid user for the initially contacted DSA.
>
> When i try use smbldap-useradd i got:
> ------------------------client message-------------------------------------
> smbldap-useradd bbb2
> Error: Referral received at /usr/local/lib/perl5/site_perl/5.8.8/smbldap_tools.pm line 1056
> ----------------------------------------------------------------------------
>
> --------------------------server message------------------------------------
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 ACCEPT from IP=127.0.0.1:50523 (IP=0.0.0.0:389)
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND dn="cn=root,dc=dgb,dc=local" method=128
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 RESULT tag=97 err=0 text=
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SRCH base="dc=dgb,dc=local" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=bbb2))"
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SRCH base="sambaDomainName=dgb,dc=dgb,dc=local" scope=0 deref=2 filter="(objectClass=sambaUnixIdPool)"
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD dn="sambaDomainName=dgb,dc=dgb,dc=local"
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD attr=uidNumber
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 RESULT tag=103 err=10 text=
> Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 closed (connection lost)
> ------------------------------------------------------------------------------
>
> And again any packets on master side.
>
> I should solve a problem of synchronization of passwords
> for samba from slave to master LDAP.
> And not find the decision. :(
>
> Help me please.... :)
> Where i am mistaken?
>
>
I think OpenLDAP has little to do with smbldap-useradd; however, it
looks like that that tool is working as expected, since it behaves the
same as ldapadd...
p.
15 years, 7 months
several replication questions (2nd try)
by Sepp
Hello,
here is our three-level concept for replication,
1 provider, 2 subproviders, 10 consumers:
* the provider should replicate most of his subtrees to both subproviders
* a few subtrees should be replicated from the 2 subproviders to the provider
* subprovider no1 should replicate his whole tree to 5 consumers
* subprovider no2 should replicate his whole tree to the other 5 consumers
* a few user entries (eg. the replication manager) should be replicated from
subprovider no.1 to subprovider no.2, and from 1 consumer to the other 9 comsumers
Here are the questions concerning this config:
1.) Is the best (and perhaps only ?) way for an implementation
to devide the DITs in subordinate databases with the according syncrepl
statements (similar to openldap-2.3.28/tests/data/slapd-glue-syncrepl*.conf,
we have a successful test config for that)
2.) Do we need the glue overlay in this context (I don't think so) ?
3.) Is it necessary that one subordinate have all indexes from all other
subordinates (I do think so, to prevent "index_param failed" error messages
when searching from top level)
4.) Sorry, when that's a FAQ: Is it a must that the updatedn is not the
same like the rootdn or is it only a recommendation ? Is this for security
reasons or why ?
5.) With slurpd it is possible to replicate more than one subtrees
from one database with several "suffix"-statements. How can I do
that with syncrepl ? I didn't find a way to define more than
one "searchbase" per "syncrepl rid" or to define more than one
"syncrepl rid" per "database".
I thank you for help in advance !
Regards
Sepp
15 years, 7 months
Problem with replica. (SLURP).
by Paul Shevtsov
I have 3 ldap server's.
One master and two slave.
From master to one slave replica passes successeful,
but to another slave replica not pass.
Config slapd on both slave the same, but version openldap
different. (2.3.19 and 2.3.27).
Version master openldap - 2.3.11.
Problem with version?
P.S. During replica i have next error message:
"ERROR: Constraint violation: entryCNS: no user modification allowed"
--
Paul Shevtsov <> 380-62-3327312
<Dongorbank> <> paul(a)dongorbank.com
15 years, 7 months
Re: syncrepl & OpenLDAP 2.3.27 & Backend Issue
by Howard Chu
Doug Goldstein wrote:
> Howard Chu wrote:
>> The examples in the Admin Guide are just that - examples. The doc states
>> that it will work with any backend type, and uses a different backend
>> type merely to illustrate that the backend type on the consumer does not
>> need to agree with the type on the producer.
>
> The Admin Guide says that only hdb and bdb will work due to the indexing
> and other data needs.
It says no such thing:
15.3.2. Set up the consumer slapd
The syncrepl replication is specified in the database section of
slapd.conf (5) for the replica context. The syncrepl engine is backend
independent and the directive can be defined with any database type.
> The example it gives is a master with "bdb" and
> the consumers with "hdb" and my issue is that the example provided does
> not work as such.
The example works perfectly well for me. There is no way that just
changing the database type would affect it. You must have changed
something else as well.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
15 years, 7 months
cross compiling client tools
by Robert Carter
Hi list,
I wish to use the openldap client tools in an embedded environment where
I cross compile openldap package against uclibc. These are tools such as
ldapsearch, ldapdelete.
Because I don't need any of the server software i'm using a configure
line like this:
./configure \
--target=$(GNU_TARGET_NAME) \
--host=$(GNU_TARGET_NAME) \
--build=$(GNU_HOST_NAME) \
--prefix=/ \
--with-tls \
--disable-slapd \
--disable-slurpd \
--without-yielding-select \
--without-rewrite \
--without-overlays \
--with-gnu-ld
make depend
make CC=$(TARGET_CC) -C $(OPENLDAP_DIR)
Assume that the GNU_ type variables have reasonable values. The
complilation proceeds normally, util the linking phase.
At this point libtool fails with:
/bin/sh ../..//libtool
--mode=link /home/imageuser/buildroot/buildroot/trunk/build_i686/staging_dir/bin/i686-linux-uclibc-gcc -static -Os -pipe -o rewrite rewrite.o parse.o librewrite.a ../../libraries/liblutil/liblutil.a ../../libraries/libldap_r/libldap_r.la ../../libraries/liblber/liblber.la -lssl -lcrypto -pthread
/home/imageuser/buildroot/buildroot/trunk/build_i686/staging_dir/bin/i686-linux-uclibc-gcc -Os -pipe -o rewrite rewrite.o parse.o -pthread librewrite.a ../../libraries/liblutil/liblutil.a ../../libraries/libldap_r/.libs/libldap_r.a /home/imageuser/buildroot/buildroot/trunk/build_i686/openldap-2.3.28/libraries/liblber/.libs/liblber.a ../../libraries/liblber/.libs/liblber.a -lssl -lcrypto -pthread
../../libraries/libldap_r/.libs/libldap_r.a(tls.o): In function
`ldap_pvt_tls_check_hostname':
tls.c:(.text+0x9ca): undefined reference to `lutil_memcmp'
collect2: ld returned 1 exit status
Can anyone throw any light on this problem?
Rob
15 years, 7 months
syncrepl & OpenLDAP 2.3.27 & Backend Issue
by Doug Goldstein
I have been attempting to setup OpenLDAP for the past couple of days
with syncrepl and have been able to get it to work. The configs work
resolve find with "slaptest -d config" and the master would work but the
consumers would never have any data in them.
After spending some time and reconfiguring a bunch of times with the
help of the guys in #ldap on Freenode. I switched by consumers from
"hdb" to "bdb" and it just started to work. My master had always been "bdb".
No idea why this happens like this but the guys from #ldap told me to
e-mail this info out. I was just following the guide from OpenLDAP
Administrator's Guide which said to set it up with bdb on the master and
hdb on the consumers.
If anyone wants any more info to track this down let me know and I'll
provide it.
--
Doug Goldstein
cardoe(a)gentoo.org
15 years, 7 months
hdb stops checkpointing....
by johan.jonemo@hep.lu.se
I try to modify a hdb periodically (often). After a while the underlying
database seems to be swamped down.
If I look in the directory log files are piling up. I run db_archive
periodically to clean up the log files and I also run db_deadlock in
parallel.
I do not run db_checkpoint as this as far as I understand is done by the
backend.
Strangely the problem seems to start after about 2 h if I start from a
clean database. When I try to lower the frequency of the updates it still
seems to happen after 2 h.
I use openLDAP v2.3.24
with Sleepycat Software: Berkeley DB 4.4.20
Johan Jönemo
15 years, 7 months
LDAP+TLS
by Net Warrior
Hi there guys.
Well, I'm making some progress securing my ldap server by reading the list
and the oficial how-to, but I'm facing a new problem.
So, I've created the certificates using this link.
http://www.openldap.org/faq/index.cgi?_highlightWords=self%20signed&file=185
Then in my slapd.conf I've got. (server side )
#security ssf=128 update_ssf=128 simple_bind=128
#TLSCipherSuite HIGH:MEDIUM:+SSLv3:+SSLv2:+RSA:+TLSv1
security ssf=1 update_ssf=112 simple_bind=64
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /etc/ssl/cacert.pem
TLSCertificateFile /etc/ssl/servercrt.pem
TLSCertificateKeyFile /etc/ssl/serverkey.pem
TLSVerifyClient never
ldap.conf (server side )
/etc/openldap/ldap.conf
BASE dc=netwarrior,dc=com
URI ldaps://linux:636
HOST linux:636
#BINDDN dc=netwarrior,dc=netwarrior
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT never
With this configuration everything seems to work fine, but now, what I want
to do is to force my clients to use a certificate to connect,
so, if I did not misundestrand it wrong, the demand options is a must.
So, when I change TLSVerifyClient never to demand. I've get the following (
alway on my server )
linux:/etc/ssl # openssl s_client -connect localhost:636 -state -showcerts
-CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty
Ltd/OU=Section/CN=localhost/emailAddress= test(a)company.com
verify return:1
depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty
Ltd/OU=Section/CN=localhost/emailAddress=test(a)company.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1052:SSL alert number 40
6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
Making some searches in the mailing list I found a guy who had the same
problem, and he was told that with the
demand option we force slapd to ask for a client certificate, and that the
client certificate is a must.
Well, now, I do not get it, cuz I'm authenticating against myself, with teh
certificates I generated before,
maybe ai have to generate a separate pair of certificates, do not know.
With never, and always it works as suggested by someone in the list, who
said that first we need try a lower option (never, allow )
to test if the server works ) my problem is with the demand option.
What am I mising here?
Sorry for my stupidity, I do not get it yet.
Thanks in advance and or your valuable time.
Greets.
15 years, 7 months
slapo-accesslog configuration puzzle
by 王 鹏辉
Hello, list.
I have enabled accesslog feature in my openldap server 2.3.27 in a gentoo
box. During the configuration, i found something unclearly to me.
I found that if the accesslog database definiation section located in any
place except the first one in the slapd.conf file. When i want to start the
openldap deamon. the follow error will come out:
Nov 13 10:10:13 (none) slapd[2141]: @(#) $OpenLDAP: slapd 2.3.27 (Sep 20
2006 17:09:57) $ ^Iroot@monster:/tmp/buildd/openldap2.3-2.3
.27/debian/build/servers/slapd
Nov 13 10:10:13 (none) slapd[2142]: backend_startup_one: bi_db_open failed!
(32768)
Nov 13 10:10:13 (none) slapd[2142]: slapd stopped.
Nov 13 10:10:13 (none) slapd[2142]: connections_destroy: nothing to destroy.
If i put the accesslog database definiation section is the first database
section, the openldap daemon could start correctly.
Does some one know the details of this condition?
Every response is appreciated.
Wang Penghui
--
Wang Penghui
+86 592 8389 650
15 years, 7 months
Lock table is out of available locks
by vadim
Hi all,
I have tried to add some entries to OpenLDAP server 2.3.29. Everything
crashes with following error message:
bdb(o=bla): Lock table is out of available locks
=> bdb_idl_insert_key: c_get failed: Not enough space(12)
Do you know what am I doing wrong?
thanx a lot and best regards, vadim tarassov
15 years, 7 months