openldap-software January 2007

openldap-software@openldap.org

98 participants
123 discussions

ldapsearch across back-sql and non-back-sql tree
by Robert Brooks 01 Mar '07

01 Mar '07

I have a back-sql portion of my ldap tree, I can search within the back-sql part of the tree (and within the ldbm), but searches do not cross from the ldbm tree into the back-sql part of the tree. Should I make a referal in the ldbm tree at the point the back-sql tree is mounted, or is there a better way to do this? Regarrds, Rob

5 5

cleaning up logs from bdb db and upgrading ldap
by Douglas B. Jones 12 Feb '07

12 Feb '07

I noticed the that I am getting a number of bdb logs (log.0000000000 .. 210) so far for one db. What is the proper procedure for consolidating these with openldap while keeping the server process running. We have version 2.3.27, but plan on upgrading to 2.3.33. The second question: is the best way to migrate from one ldap version to another to slapcat from the old one and the slapadd to the new one? I realize if I do this way, I would in essence have an answer for the first question, but the first one I was wondering from a live point of view. Thank you for any help, I have not had much time finding an answer in the archives o slapd.conf or slapd.bdb man pages. Thanks!

5 7

SASL GSSAPI authentication with Sun Java Directory Server 5.2P4
by Andrew Deason 12 Feb '07

12 Feb '07

I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188) This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all. I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23. -- Andrew Deason adeason2(a)uiuc.edu

3 4

Re: map custom attribute to another non custom attribute
by matthew sporleder 10 Feb '07

10 Feb '07

On 1/19/07, P. Martinez <martinezino(a)googlemail.com> wrote: > Hello List, > > before i start, i am very new to directory > services, therefore please be patient to > me. I am with myself ;) > > I am writing an custom schema - and thought > about a way to mapping attributes. > > attributeType ( OIDXXX NAME ( 'cn' 'commonName' ) > SUP name ) > > Here we have two ways to query for entries - cn > and commonName, right. > > My question: Is is possible to construct a > schema that maps attributes to another > attribute of a different objectclass/schema. > > Why? - Lets say an application ask for > "unordinaryattributeName". Now i want to > map it to cn transparently. So i need only > to manipulate cn fields etc. > > This idea comes to me as a flash of genius. > But i hope that it is quite old and therefore > possible. > Although this might be possible, (I'm not sure how many NAME's you're allowed in a schema), openldap provides mechanisms to do this already. And you wouldn't have to hijack namespace, or get into other nasty things like that. See slapo-rwm(5) --- DESCRIPTION The rwm overlay to slapd(8) performs basic DN/data rewrite and object- Class/attributeType mapping. Its usage is mostly intended to provide virtual views of existing data either remotely, in conjunction with the proxy backend described in slapd-ldap(5), or locally, in conjunction with the relay backend described in slapd-relay(5).

2 1

Salted passwords, further clarification please
by m h 08 Feb '07

08 Feb '07

Hi all. I'm trying to write a script to change the rootpw value in slapd.conf. Before allowing the user to change the password, I'm asking that they first verify the existing password. My question has to do with the random salt. How do I verify the existing password? Going through slappasswd doesn't appear to work, since it uses a random salt each time. ie: r52 ~ # slappasswd -s foo {SSHA}OBe71ShE85Wd8PINTJzunxazszPWpon1 r52 ~ # slappasswd -s foo {SSHA}OCK0lxJa+pfFqDfE39N3EZ8529IZIMhd It doesn't appear from the man page for slappasswd that you can specify the salt. Furthermore, how does the server know what the salt is? (I read through the FAQ on the website and it says the salt is added to the password before encryption). A little confused. Anything enlightening would be wonderful! Thanks much. matt

3 4

[Fwd: Re: Bug(?) With OpenLDAP 2.3.32]
by daniel＠ncsu.edu 05 Feb '07

05 Feb '07

Dooh, sorry, this was supposed to go to the list instead of you directly. ---------------------------- Original Message ---------------------------- Subject: Re: Bug(?) With OpenLDAP 2.3.32 From: daniel(a)ncsu.edu Date: Wed, January 24, 2007 1:51 pm To: "Gavin Henry" <ghenry(a)suretecsystems.com> -------------------------------------------------------------------------- I'm not supplying the old attribute. This particular individual has a double major and hence the way we are using it, he has two ou's associated with him. Daniel > <quote who="daniel(a)ncsu.edu"> >> Hi folk! >> >> We upgraded to OpenLDAP 2.3.32 recently and I ran into something that, >> unless I have completely lost my mind, should not be occuring: >> >> /local/ldap/data # /local/ldap/bin/ldapmodify -x -h localhost -D >> "cn=ldapadmin,dc=ncsu,dc=edu" -w LDAPADMINPASSWORD >> dn: uid=STUDENTUSERNAME,ou=students,ou=people,dc=ncsu,dc=edu >> changetype: modify >> replace: ou >> ou: B A - Physics >> ou: B S - Philosophy >> - >> replace: ncsucurriculumcode >> ncsucurriculumcode: PYA >> ncsucurriculumcode: LSL >> >> modifying entry >> "uid=STUDENTUSERNAME,ou=students,ou=people,dc=ncsu,dc=edu" >> ldap_modify: Type or value exists (20) >> additional info: modify/replace: ou: value #1 already exists >> >> >> Obviously I replaced the user's username and my ldap admin password. ;D >> A replace should literally be replacing the ou and ignoring what it's >> currently set to, correct? And since those two ou's are not the same, >> it >> should be fine? What's even more bizarre is that I didn't run into this >> while populating the database in the first place. Is this, perchance, >> fixed in 2.3.33? Thanks! > > You don't supply the old attribute value, just the new one. > > man ldapmodify > >> >> Daniel >> > >

6 13

Can't add data to new ou
by gandalf istari 04 Feb '07

04 Feb '07

Hi, I'm quite new with LDAP so .... i have created a new ou with this command: slapadd -l ./new-od.ldif without any errors dn: ou=Recipients_Seny, ou=Recipients, ou=not_users, ou=users_sxo, dc=internal,dc=sodexho,dc=be ou: Recipients_Seny objectClass: top objectClass: organizationalUnit when i add data i get this error: igor:~# ldapadd -c -x -S /var/log/sync-ldap/ldapadd-userinfo.log -D "cn=admin,dc=internal,dc=sodexh o,dc=be" -w xxx -h 127.0.0.1 -P 3 -f ./sos.ldif adding new entry "CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=intern al,DC=sodexho,DC=be" ldap_add: No such object (32) matched DN: ou=Recipients,ou=not_users,ou=users_sxo,dc=internal,dc=sodexho,dc=be the ldif: dn: CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=internal,DC=sodexho,DC=be cn: SOSCATALOG displayName: SOSCATALOG mail: SOSCATALOG(a)sodexho-be.com givenName: SOSCATALOG objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person sn: SOSCATALOG what must be done to solve this? TIA

3 4

ldapsearch for digest-md5
by Radhakrishnan Balasubramanian 01 Feb '07

01 Feb '07

Hi All, I have Openldap Server -2.2.13 with Cyrus SASL configured. I am trying to do ldapsearch for digest-md5 .I am getting the following error : ldapsearch -Y digest-md5 -D "uid=pokemon,ou=People,dc=cisco,dc=com" -w pokemon123 SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated But ldapsearch with -U option is successful. Please let me know what need to be done on my LDAP server for making ldapsearch sucessful without using -U (SASL authentication identiy) and using only -D option . Thanks, RK ____________________________________________________________________________________ Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather

4 4

2.3.33 back_meta test failure
by Andreas Hasenack 01 Feb '07

01 Feb '07

Hello, while running make test on a 2.3.33 build, I get an error in test030-relay when using the meta backend: (...) Using meta backend... Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Using ldapadd to populate the database... Searching base="dc=example,dc=com"... Searching base="o=Example,c=US"... Search failed (255)! ./scripts/relay: line 78: kill: (31577) - Processo inexistente >>>>> ./scripts/test030-relay failed (exit 255) make: ** [bdb-yes] Erro 255 The log shows: $ tail testrun/slapd.1.log conn=3 op=1 >>> meta_search_dobind_init[0] conn=3 op=1 <<< meta_search_dobind_init[0]=1 ==> rewrite_context_apply [depth=1] string='o=Example,c=US' ==> rewrite_rule_apply rule='((.+),)?o=Example,[ ]?c=US$' string='o=Example,c=US' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'dc=example,dc=com'} [rw] searchBase: "o=Example,c=US" -> "dc=example,dc=com" ==> rewrite_context_apply [depth=1] string='(objectClass=*)' ==> rewrite_context_apply [depth=1] res={0,'NULL'} [rw] searchFilter: "(objectClass=*)" -> "(objectClass=*)" /home/andreas/updates-svn/openldap/BUILD/openldap-2.3.33/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.3.so.0: undefined symbol: ldap_back_proxy_authz_ctrl Anybody else with the same problem?

4 7

Notes on LDAP Performance, docs
by Howard Chu 31 Jan '07

31 Jan '07

In a recent blog entry http://www.connexitor.com/blog/pivot/entry.php?id=103 I discussed how LDAP gets misused in some applications, using sendmail as an example. Gavin Henry commented that some of that material ought to go in the FAQ-o-Matic. And I replied with the usual "the FAQ-o-Matic is open for anyone to contribute." I think we could really use someone to volunteer to be a documentation lead, because just relying on random members of the community to contribute is just too, well, random. One of the things such a doc person might do is take responsibility for merging useful mailing list posts into the FAQ-o-Matic. Another task that would be a big help would be to sift thru the current entries in the FAQ and identify articles that can move into the Admin Guide. Part of that task may include consolidating information from several FAQ items into a single coherent piece of text. If you've been looking for a way to get more involved in the OpenLDAP community, this would be a great way to start. You don't have to be a programmer, and you'll learn a lot on the way. Plus you'll get that warm fuzzy feeling from knowing you've helped to improve the OpenLDAP package for all to benefit. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2007