slapd questions
by Greg Martin
Sorry - reporting with a better subject
in the current topic on syncrepl,
Gavin Henry wrote:
>
> Can you slapcat your config back out and show us everything?
>
> slapdcat -n 0 > config.ldif
>
> /usr/sbin/slapd not /usr/local/libexec/slapd ?
>
>
I'm curious as to his statement above. My Slackware package installs
slapd to /usr/libexec/slapd. There is no other version. Your statement
seems to imply there could be two versions. Can you help me understand why?
And while I'm at it, can someone explain how slapd knows to act
differently when called from one link, say, slapcat, over another, say
slapdn. I've been using linux for 5-6 years and have not run across
this particular behavior. Does slapd read argv(0) and act differently
based on that?
\\Greg
15 years, 6 months
back_ldap, rwm & saslautheticated users
by Dieter Kluenter
Hello,
how can a sasl_authz created identity be rewritten, that is, that die
generated DN matches the DN on the remote server.
The search string is
ldapsearch -Ydigest-md5 -Udieter -w secret \
-H ldap://localhost:9004 -b "dc=dkluenter,dc=de" -s sub \
$filter
My configuration:
,----[ slapd.conf for back_ldap ]
| ...
| authz-regexp uid=(.*),cn=.*,cn=auth
| ldap:///dc=dkluenter,dc=de??sub?uid=$1
| access to * by * read
| database ldap
| suffix dc=dkluenter,dc=de
| rootdn cn=admin,dc=dkluenter,dc=de
| uri ldap://localhost:389
| acl-bind
| bindmethod=sasl
| saslmech=digest-md5
| authcId=admanager
| credentials=xxx
| idassert-bind
| bindmethod=sasl
| saslmech=digest-md5
| authcId=admanager
| credentials=mailer
| mode=self
| overlay rwm
| rwm-rewriteEngine on
| rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
`----
The following log shows that the DN string from back_ldap
"cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de"
is not rewritten to
"cn=dieter kluenter,ou=partner,o=avci,c=de"
which would be the desired result.
,----[ slapd.log on Master ]
| slapd[4169]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "entry" requested
| slapd[4169]: => acl_mask: to all values by "cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de", (=0)
| slapd[4169]: <= check a_dn_pat: cn=$1,ou=Partner,o=avci,c=de
| slapd[4169]: <= check a_group_pat: cn=administratoren,o=avci,c=de
| slapd[4169]: => bdb_entry_get: found entry: "cn=administratoren,o=avci,c=de"
| slapd[4169]: <= check a_dn_pat: *
| slapd[4169]: <= acl_mask: [3] applying auth(=xd) (stop)
| slapd[4169]: <= acl_mask: [3] mask: auth(=xd)
| slapd[4169]: => slap_access_allowed: search access denied by auth(=xd)
`----
How can rewriting of the DN be achieved.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 6 months
Error in setting the values of Custom objectClass in openldap
by Anjali Arora
Hi,
I am facing problem in setting values for custom objectclass attributes:
my *custom schema* is like this :
attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME ( 'filename' )
DESC 'RFC2256: logical filename'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'filesize'
DESC 'RFC2256: size of the file'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'parentid'
DESC 'index of the parent entry'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.6863.2.3.110 NAME 'filemode'
DESC 'RFC2256: file permission'
SUP filename )
attributetype ( 1.3.6.1.4.1.6863.2.3.111 NAME ( 'protocoltype' )
DESC 'RFC2256: transfer protocol type'
SUP filename )
objectclass(1.3.6.1.4.1.6863.2.4.57 Name 'gfsnamespace'
DESC 'RFC2256 : GFS Tree Hierarchy'
SUP top AUXILIARY
MUST parentid
MAY ( filetype $ filemode $ filename $ parentid $ protocoltype $
filesize ) )
and *ldap.ldif* file is :
dn: cn=Cur Ander,ou=SoftwareDeveloper,dc=example,dc=com
cn: Cur Ander
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: CAnder(a)isp.com
givenname: Cur
sn: Ander
ou: MemberGroupA
street: 17 Cherry St.
objectClass: gfsnamespace
parentid: 1002
filename: abc.txt
when i am adding this entry through command line interface like :
ldapadd -D "cn=Manager,dc=example,dc=com" -w secret -f ldap.ldif
When i am adding entry without setting my objectclass(gfsnamespace)
attribute values it will be added sucessfully without an error but when i am
trying to add entry with setting my objectclass attributes it will give this
error :
adding new entry "cn=Cur Ander,ou=SoftwareDeveloper,dc=example,dc=com"
ldapadd: Invalid syntax (21)
additional info: objectClass: value #4 invalid per syntax
Please give me solution as soon as possible...
And i want to know if i want my object class as the base of the hierarchy
then how to do that or i have to follow some predefined hierarchy if it is
so then tell me predefined hierarchy of objectclasses in openLDAP.
Thanks and Regards,
Anjali
15 years, 6 months
can't delete ppolicy overlay from cn=config
by Scott Classen
hello,
this is my ldif file:
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config
changetype: delete
command to remove entry:
%ldapmodify -x -D "uid=ldapadmin,ou=peps,dc=example,dc=com" -W -f ppolicy-del.ldif
deleting entry "olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config"
ldap_delete: Server is unwilling to perform (53)
I'm performing this operation as rootdn why can I not delete the entry?
15 years, 6 months
Enabling TLS problem on openldap2-2.3.39
by Keagle, Chuck
I'm configuring slapd to use TLS. First I just want to make it work,
then I'll go into requiring encryption.
The system is SLES 9.3
The openldap2 is 2.3.39
Other certifictes are in /etc/ssl/certs as specified by default in
slapd.conf for openldap2 2.3.39.
The database is currently empty, just getting started.
Generated a self-signed x509 certificate
cd /etc/openldap
openssl genrsa 1024 >server.key
chmod 0440 server.key
chown root:ldap server.key
openssl req -new -key server.key -x509 -days 100 -out server.crt
Entered all the important stuff
chmod 0444 server.crt
Checked certificate and it looked acceptable
openssl x509 -text -in server.crt
Changed following lines in slapd.conf:
TLSCertificateFile /etc/openldap/server.crt
TLSCertificateKeyFile /etc/openldap/server.key
Added following line to /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/server.crt
A command not using encryption works fine:
ldapsearch -x -H ldap://example.com -b "" -s base
'objectclass=*' '+' '*'
A command using encryption fails:
ldapsearch -x -Z -H ldap://example.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Here are the ldap log entries when loglevel is set to -1:
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
Nov 16 16:53:47 testsvr slapd[19533]:
Nov 16 16:53:47 testsvr slapd[19533]: >>>
slap_listener(ldap:///)
Nov 16 16:53:47 testsvr slapd[19533]: daemon: listen=8, new
connection on 14
Nov 16 16:53:47 testsvr slapd[19533]: daemon: added 14r (active)
listener=(nil)
Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 ACCEPT from
IP=1.1.1.1:3535 (IP=0.0.0.0:389)
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
Nov 16 16:53:47 testsvr slapd[19533]: 14r
Nov 16 16:53:47 testsvr slapd[19533]:
Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: do_extended
Nov 16 16:53:47 testsvr slapd[19533]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 STARTTLS
Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_extended: err=0
oid= len=0
Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_response:
msgid=1 tag=120 err=0
Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 RESULT oid=
err=0 text=
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
Nov 16 16:53:47 testsvr slapd[19533]: 14r
Nov 16 16:53:47 testsvr slapd[19533]:
Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
Nov 16 16:53:47 testsvr slapd[19533]: 14r
Nov 16 16:53:47 testsvr slapd[19533]:
Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): TLS
accept failure error=-1 id=4, closing
Nov 16 16:53:47 testsvr slapd[19533]: connection_closing:
readying conn=4 sd=14 for close
Nov 16 16:53:47 testsvr slapd[19533]: connection_close: conn=4
sd=-1
Nov 16 16:53:47 testsvr slapd[19533]: daemon: removing 14
Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 closed (TLS
negotiation failure)
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
Nov 16 16:53:47 testsvr slapd[19533]:
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
It looks like TLS started OK, then there was a negotiation failure with
slapd.
I figure I just missed something simple here, but have spent quite a bit
of time not getting it figured out.
Any insights?
Thank you.
----
Not all who wander are lost.
| ---- ___o | chuck.keagle(a)boeing.com
Chuck Keagle | ------- \ <, | Work: (425) 865-1488
Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
15 years, 6 months
Re: syncrepl LDIF kickstart file
by Gavin Henry
<quote who="Greg Martin">
>
>
> Gavin Henry wrote:
>>>
>>>
>>
>> Can you slapcat your config back out and show us everything?
>>
>> slapdcat -n 0 > config.ldif
>>
>> /usr/sbin/slapd not /usr/local/libexec/slapd ?
>>
>>
>
> Gavin, this is slightly of-topic. I'm curious as to your statement above.
> my Slackware package installs slapd to /usr/libexec/slapd. There is no
> other version. Your statement seems to imply there could be two
> versions. Can you help me understand why?
Default configure; make depend; make and make install installs slapd into
/usr/local/libexec
Distros put the binaries where they see fit.
>
> And while I'm at it, can someone explain how slapd knows to act
> differently when called from one link, say, slapcat, over another, say
> slapdn. I've been using linux for 5-6 years and have not run across
> this particular behavior. Does slapd read argv(0) and act differently
> based on that?
>
symlinks
Test:
[ghenry@suretec ~]$ cat test.pl
#!/usr/bin/perl
use strict;
use warnings;
print $0, "\n";
[ghenry@suretec ~]$ ./test.pl
./test.pl
[ghenry@suretec ~]$ ln -s test.pl slapcat
[ghenry@suretec ~]$ ./slapcat
./slapcat
[ghenry@suretec ~]$ ls -l /usr/local/sbin/slapcat
lrwxrwxrwx 1 root root 16 2007-10-31 19:47 /usr/local/sbin/slapcat ->
../libexec/slapd
15 years, 6 months
Re: syncrepl LDIF kickstart file
by Scott Classen
> Scott Classen wrote:
> > Hello openldap community,
> >
> > I have openldap 2.4.6 running on 2 machines.
> >
> > one master server with a BDB database acting as the syncrepl
> provider (the
> syncrep[l overlay has been added to the database configuration
> directive).>
> > I now have set up a second machine also running openldap 2.4.6
> and I've
> > been
> playing around with it trying to get it to act as a syncrepl consumer.
> >
> > I remember reading somewhere in the openldap documentation that
> it should
> > be
> fairly straight forward with a simple 10-12 line LDIF file to get
> the synrepl
> consumer synched up with the provider.
> >
> > Can someone please post an example of such a simple kickstart file?
> > Thanks ^6,
>
> Sounds vaguely like you want this
> (from <A HREF="http://www.openldap.org/pub/hyc/LDAPcon2007s.pdf" target="l">http://www.openldap.org/pub/hyc/LDAPcon2007s.pdf</A> page 20)
>
> ###
> dn: cn=config
> objectclass: olcglobal
> cn: config
>
> dn: olcdatabase={0}config,cn=config
> objectclass: olcdatabaseconfig
> olcdatabase: {0}config
> olcsyncrepl: rid=001 provider=$URI binddn="cn=config"
> bindmethod=simple credentials=$CONFIGPW searchbase="cn=config"
> type=refreshOnly interval=00:00:00:10
> ###
>
> Slapadding this will fully initialize a new server if you point it
> at an
> existing provider, but of course you need to have the syncprov
> overlay
> configured on the config database of the provider.
>
> See test049 in the test suite for a more detailed example.
>
Yes, that is what I am interested in.
I added the syncprov overlay to the cn=config directive on the PROVIDER as such:
cn=config
olcDatabase={0}config
olcOverlay={0}syncprov
Now on a brand new CONSUMER machine I created the following LDIF file (sync-seed.ldif):
dn: cn=config
objectClass: olcGlobal
cn: config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=ldapadmin,cn=config
olcRootPW: {SSHA}mysoopersecretpasswd
olcsyncrepl: rid=001 provider=ldap://my.provider.machine binddn="cn=ldapadmin,cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshOnly
interval=00:00:00:10
I then put the file in my openldap dir and cd there:
cd /usr/local/etc/openldap
mkdir slapd.d
slapadd -b "cn=config" -F slapd.d -l sync-seed.ldif
all is OK
I then start slapd:
/usr/sbin/slapd -d 256
...
slapd starting
syncrepl_message_to_entry: rid=001 mods check (olcDbConfig: value #6 provided more than once)
do_syncrepl: rid=001 quitting
Hmmm what have I done wrong?
Thanks,
Scott
15 years, 6 months
pcache configuration
by Nathan Morrow
I have spent some good time playing with ldap queries and think I have a
good grasp on it.
The application is simple. I am querying a Microsoft server for email
address info. Simple.
I have setup slapd to act as a proxy. And I can perform my lookups with no
problem, but when I try to turn on pcache options. Slapd gives no
configuration errors and exits on startup.
Since it should pull all database info, do I need an initial database?
Where can I generate more errors on the abnormal exit?
Running on fedora, The basics of my config that are working are:
database ldap
suffix "dc=office,dc=spotswood,dc=org"
rootdn "dc=office,dc=spotswood,dc=org"
rootpw maildata
uri "ldap://192.168.0.2:389/"
# overlay pcache
# proxyCache bdb 100000 1 1000 100
# cachesize 20
# proxyAttrset 0 mail postaladdress telephonenumber
# proxyTemplate (sn=) 0 3600
# proxyTemplate (&(sn=)(givenName=)) 0 3600
# proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
Again, the above works,
But when I uncomment the cache stuff. Slapd doesn't give errors but doesn't
keep running either.
Everything I read on the net references an old document about the concept,
but nothing about actual configuration that works with the current release.
Anyone accomplish this? Looking for any help before having to get in source
code.
Nathan
15 years, 6 months