openldap-software January 2007

openldap-software@openldap.org

98 participants
123 discussions

openldap proxy issue
by jerrrry＠voila.fr 05 Jan '07

05 Jan '07

hi, I'am configuring slapd(8) 2.3.27 for use as a proxy to another LDAP server. the purpose is to do an ldap authentication to a ldap backend, that need that an administator account bind to do a search, with applications that can only do an anonymous bind. can openldap rewrite the anonynous connection to bind with the administrator acount instead ? I try this: I compiled with --enable-ldap --enable-rewrite. and my slapd.conf looks like this: database ldap suffix ou=personnes,o=sg uri ldap://192.16.239.210:1389 binddn cn=guards,ou=exploit,ou=personnes,o=sg bindpw secret but it does not work whereas i put binddn and binfpw. The backend ldap still receive an anonymous connection. thank you for your help Thomas

2 1

No schema in my db
by Olivier Cailloux 05 Jan '07

05 Jan '07

Hello, I'm trying to set up an LDAP server on my box (only for address book management). It seems like there is no schema (or a problem related to the schema) on my test server, and I don't know what I should do to overcome that problem. The problem (well I think this is a problem) is: Olivier:/etc/ldap# ldapsearch -b cn=schema -x # extended LDIF # # LDAPv3 # base <cn=schema> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 Here is my slapd.config file: Olivier:/etc/ldap# grep ^[^#$] slapd.conf access to dn.base="" by * read include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 timelimit 10 backend bdb database bdb suffix "o=smg" rootdn "cn=OlivierAdmin,o=smg" rootpw {SSHA}(hidden) directory "/var/lib/ldap2" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to * by * read by self write by anonymous read access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none And the contents: Olivier:/etc/ldap# slapcat dn: o=smg objectClass: top objectClass: organization o: smg description:: U2VydmljZSBkZXMgTWF0aMOpbWF0aXF1ZXMgZGUgbGEgR2VzdGlvbg== structuralObjectClass: organization entryUUID: 46e1f6c8-310c-102b-9771-d16a0ff3ed80 creatorsName: cn=OlivierAdmin,o=smg createTimestamp: 20070105132747Z entryCSN: 20070105132747Z#000000#00#000000 modifiersName: cn=OlivierAdmin,o=smg modifyTimestamp: 20070105132747Z More practically, my problem is that using phpldapadmin, I get a "no schema" error after logging in, and I suppose this is related to the "No such object" reply here above... Any help or pointer would be really appreciated, because I'm searching since two days! Olivier P.S. : not related, but I was wondering if it is better to create a "o=smg" organisation or "dc=smg8,dc=ulb,dc=ac,dc=be" following my dns name? Thank you.

4 3

openldap proxy issue
by jerrrry＠voila.fr 05 Jan '07

05 Jan '07

Hi, I forgot that i also tried this for slapd.conf: database ldap suffix ou=personnes,o=sg uri ldap://192.16.239.210:1389 idassert-bind bindmethod=simple binddn "cn=guards,ou=exploit,ou=personnes,o=sg" credentials=secret mode=none without more success ! Thomas > Message du 05/01/07 à 20h12 > De : "jerrrry(a)voila.fr" > A : openldap-software(a)openldap.org > Copie à : > Objet : openldap proxy issue > > > hi, > > I'am configuring slapd(8) 2.3.27 for use as a proxy to another LDAP server. > the purpose is to do an ldap authentication to a ldap backend, that need that an administator account bind to do a search, with applications that can only do an anonymous bind. > can openldap rewrite the anonynous connection to bind with the administrator acount instead ? > I try this: > I compiled with --enable-ldap --enable-rewrite. > and my slapd.conf looks like this: > database ldap > suffix ou=personnes,o=sg > uri ldap://192.16.239.210:1389 > binddn cn=guards,ou=exploit,ou=personnes,o=sg > bindpw secret > > but it does not work whereas i put binddn and binfpw. The backend ldap still receive an anonymous connection. > > thank you for your help > Thomas > >

1 0

Modifying existing schema definition without reimporting data ?
by Heinzmann, Robert 05 Jan '07

05 Jan '07

Hello, is it possible to change Schema definitions on openldap servers without recreating the backend ? Background: We have a ldap server (or multiple replicated LDAP servers) and have a certain attribute in the schema defitnion that is currently defined as "single value". It's the MAC address for clients used for X802.1 auth. The attribute is part oif the user object used for logins. Now it's possible, that users have multiple MAC addresses. We want to add multiple MAC addresses to that list, so we must chnage the attribute type from single to multiple values (sorry, I don't know the exact name of the defintion statement). Would this be possible by doing the following: stop ldap slave server change schema defintion for MAC address attribute from single to multivalue Start ldap slave again stop ldap master change schema defintion for MAC address attribute from single to multivalue Start ldap master Is changing the schema definion generally possible for changes other then singlevalue->multivalue - e.g. add another attribute or modify other things ? Looking forward to any feedback, Robert Heinzmann ------------------------------------------------------------------------ COMPUTER CONCEPT CC Computersysteme und Kommunikationstechnik GmbH Robert Heinzmann Wiener Str. 114 - 116 Email: heinzmann(a)cc-dresden.de 01219 Dresden Telefon: +49 (0)351/8 76 92-0 Telefax: +49 (0)351/8 76 92-99 Internet: http://www.cc-dresden.de ------------------------------------------------------------------------

3 2

different seperator in dnstyle authz-regex / access?
by Hans Moser 05 Jan '07

05 Jan '07

Hi! man slap.access says: It can have the forms dn[.<dnstyle>]=<dnpattern> man slapd.conf "authz-policy" says: it can take five forms: [...] dn[.<dnstyle>]:<pattern> Am I wrong, or is this by any cause different? Why ":" here and "=" there? Hans

2 2

Multiple instances of object class in a record
by Girish Pal 05 Jan '07

05 Jan '07

Hi, I want to use multiple instances of same object class in a single record. This was supported in previous version of ldap we were using but in current version 2.3.21 it seems that this is not supported. Is there any workaround for the problem dn: emp-id=918011111,oc=employee,vid=3,sid=1,dc=ssdb objectClass: employee objectClass: authorization-data objectClass: PIC objectClass: PIC We have lots of legacy data and applications which has to be ported to the newer version. -- Thanks, Girish

2 1

Problem with my ldap server and users
by poberli＠hsr.ch 04 Jan '07

04 Jan '07

Hello I've got a wierd problem with my ldap server which reoccurs every few months. In past I could fix it with completely deleting the ldap database, but somehow this doesn't satisfy me (lot of work to set it up again). I run every night a little script which deletes all users based on a list, this usually works fine. Afterwards it imports all users again with their maybe changed attributes. This looks like: ldapdelete -x -D "cn=admin,ou=admin,dc=domain,dc=ch" -w password -h localhost -c -f /opt/active-directory-to-ldap/ldap-dn-delete-list.ldif ldapadd -f /opt/active-directory-to-ldap/ldap-import.ldif -h localhost -D "cn=admin, ou=admin,dc=domain,dc=ch" -w password -a -c -x The content of the ldap-dn-delete-list.ldif file: CN=user1,DC=domain,DC=ch CN=user2,DC=domain,DC=ch CN=user3,DC=doamin,DC=ch .... The content of the ldap-import.ldif file: dn: CN=user1,DC=domain,DC=ch objectClass: ... objectClass: ... cn: user1 sn: Surname givenName: Givenname mail: user1(a)domain.ch (objectclass info removed) Now since yesterday is this producing me the following errors. While deleting: Delete Result: No such object (32) Matched DN: dc=domain,dc=ch Delete Result: No such object (32) Matched DN: dc=domain,dc=ch Delete Result: No such object (32) Matched DN: dc=domain,dc=ch Afterwards adding: adding new entry "CN=user1,DC=domain,DC=ch" ldap_add: Already exists (68) adding new entry "CN=user2,DC=domain,DC=ch" ldap_add: Already exists (68) adding new entry "CN=user3,DC=domain,DC=ch" ldap_add: Already exists (68) If I check the database in Jxplorer then I can see that it's empty besides the admin OU. I also tried ldapmodify, this produces: modifying entry "CN=user1,DC=domain,DC=ch" ldap_modify: No such object (32) matched DN: dc=domain,dc=ch ... Any ideas what this could be? This is a default debian installation which ldapd version: slapd -V @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $ @pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/ servers/slapd Thanks, Patrick

3 3

why is openldap not recognizing MD5 passwords?
by Marten Lehmann 04 Jan '07

04 Jan '07

Hello, usually it should be possible to give a password like {MD5}digest to a userPassword attribute and openldap should be using it as an MD5 password hash. Instead, it is using it as a plain password. What is going wrong there? Regards Marten

5 7

Re: no structuralObjectClass operational attribute error
by Kurt D. Zeilenga 04 Jan '07

04 Jan '07

At 12:57 PM 1/4/2007, Todd R Davis wrote: >I am setting up a new samba/openldap server. SLES 10 OS. I am trying to >populate the database and receive an error. > >using command: > >ldapadd -x -h localhost -D "cn=Manager,dc=hrhtest2,dc=org" -f test3.ldif -W > > >get error: > >adding new entry "cn=Domain Admins,ou=Groups,dc=hrhtest2,dc=org" >ldap_add: Internal (implementation specific) error (80) > additional info: no structuralObjectClass operational attribute This error is discussed in the FAQ at: http://www.openldap.org/faq/index.cgi?file=1385 Note that if you are using an older version of slapd(8), this message is indicative of the problem discussed here: http://www.openldap.org/faq/index.cgi?file=883 -- Kurt

1 0

Lock tuning
by matthew sporleder 03 Jan '07

03 Jan '07

After reading http://www.oracle.com/technology/documentation/berkeley-db/db/ref/lock/max.… I started to look at db_stat -c and noticed this: 5203 Total number of locks not immediately available due to conflicts. 15 Number of deadlocks. Now, these numbers of pretty low compared to all the other stuff with M's at the end, but the following would imply that there's plenty of capacity: 1000 Maximum number of locks possible. 1000 Maximum number of lockers possible. 1000 Maximum number of lock objects possible. 4 Number of current locks. 74 Maximum number of locks at any one time. 59 Number of current lockers. 71 Maximum number of lockers at any one time. 4 Number of current lock objects. 39 Maximum number of lock objects at any one time. Any hints as to why I would have deadlocks, or locks not available? Maybe I'm misreading what a conflict is vs just contention. Thanks, _Matt (.. if only I knew what the conflict matrix was trying to say ;)

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2007