November 2007 - openldap-software

by Greg Martin

Sorry - reporting with a better subject in the current topic on syncrepl, Gavin Henry wrote: > > Can you slapcat your config back out and show us everything? > > slapdcat -n 0 > config.ldif > > /usr/sbin/slapd not /usr/local/libexec/slapd ? > > I'm curious as to his statement above. My Slackware package installs slapd to /usr/libexec/slapd. There is no other version. Your statement seems to imply there could be two versions. Can you help me understand why? And while I'm at it, can someone explain how slapd knows to act differently when called from one link, say, slapcat, over another, say slapdn. I've been using linux for 5-6 years and have not run across this particular behavior. Does slapd read argv(0) and act differently based on that? \\Greg

15 years, 6 months

2
1
0 / 0

back_ldap, rwm & saslautheticated users

by Dieter Kluenter

Hello, how can a sasl_authz created identity be rewritten, that is, that die generated DN matches the DN on the remote server. The search string is ldapsearch -Ydigest-md5 -Udieter -w secret \ -H ldap://localhost:9004 -b "dc=dkluenter,dc=de" -s sub \ $filter My configuration: ,----[ slapd.conf for back_ldap ] | ... | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=xxx | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | mode=self | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" `---- The following log shows that the DN string from back_ldap "cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de" is not rewritten to "cn=dieter kluenter,ou=partner,o=avci,c=de" which would be the desired result. ,----[ slapd.log on Master ] | slapd[4169]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "entry" requested | slapd[4169]: => acl_mask: to all values by "cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de", (=0) | slapd[4169]: <= check a_dn_pat: cn=$1,ou=Partner,o=avci,c=de | slapd[4169]: <= check a_group_pat: cn=administratoren,o=avci,c=de | slapd[4169]: => bdb_entry_get: found entry: "cn=administratoren,o=avci,c=de" | slapd[4169]: <= check a_dn_pat: * | slapd[4169]: <= acl_mask: [3] applying auth(=xd) (stop) | slapd[4169]: <= acl_mask: [3] mask: auth(=xd) | slapd[4169]: => slap_access_allowed: search access denied by auth(=xd) `---- How can rewriting of the DN be achieved. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

15 years, 6 months

2
1
0 / 0

SyncRepl cookie length?

by Erik van Oosten

Hi, I need to store syncrepl cookies in a database. What is the maximum length for a cookie that is issued by open ldap? Regards, Erik. -- Erik van Oosten http://2008.rubyenrails.nl/ http://www.day-to-day-stuff.blogspot.com/

15 years, 6 months

2
2
0 / 0

Error in setting the values of Custom objectClass in openldap

by Anjali Arora

Hi, I am facing problem in setting values for custom objectclass attributes: my *custom schema* is like this : attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME ( 'filename' ) DESC 'RFC2256: logical filename' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'filesize' DESC 'RFC2256: size of the file' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'parentid' DESC 'index of the parent entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.6863.2.3.110 NAME 'filemode' DESC 'RFC2256: file permission' SUP filename ) attributetype ( 1.3.6.1.4.1.6863.2.3.111 NAME ( 'protocoltype' ) DESC 'RFC2256: transfer protocol type' SUP filename ) objectclass(1.3.6.1.4.1.6863.2.4.57 Name 'gfsnamespace' DESC 'RFC2256 : GFS Tree Hierarchy' SUP top AUXILIARY MUST parentid MAY ( filetype $ filemode $ filename $ parentid $ protocoltype $ filesize ) ) and *ldap.ldif* file is : dn: cn=Cur Ander,ou=SoftwareDeveloper,dc=example,dc=com cn: Cur Ander objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: CAnder(a)isp.com givenname: Cur sn: Ander ou: MemberGroupA street: 17 Cherry St. objectClass: gfsnamespace parentid: 1002 filename: abc.txt when i am adding this entry through command line interface like : ldapadd -D "cn=Manager,dc=example,dc=com" -w secret -f ldap.ldif When i am adding entry without setting my objectclass(gfsnamespace) attribute values it will be added sucessfully without an error but when i am trying to add entry with setting my objectclass attributes it will give this error : adding new entry "cn=Cur Ander,ou=SoftwareDeveloper,dc=example,dc=com" ldapadd: Invalid syntax (21) additional info: objectClass: value #4 invalid per syntax Please give me solution as soon as possible... And i want to know if i want my object class as the base of the hierarchy then how to do that or i have to follow some predefined hierarchy if it is so then tell me predefined hierarchy of objectclasses in openLDAP. Thanks and Regards, Anjali

15 years, 6 months

2
2
0 / 0

can't delete ppolicy overlay from cn=config

by Scott Classen

hello, this is my ldif file: dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config changetype: delete command to remove entry: %ldapmodify -x -D "uid=ldapadmin,ou=peps,dc=example,dc=com" -W -f ppolicy-del.ldif deleting entry "olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config" ldap_delete: Server is unwilling to perform (53) I'm performing this operation as rootdn why can I not delete the entry?

15 years, 6 months

4
4
0 / 0

Enabling TLS problem on openldap2-2.3.39

by Keagle, Chuck

I'm configuring slapd to use TLS. First I just want to make it work, then I'll go into requiring encryption. The system is SLES 9.3 The openldap2 is 2.3.39 Other certifictes are in /etc/ssl/certs as specified by default in slapd.conf for openldap2 2.3.39. The database is currently empty, just getting started. Generated a self-signed x509 certificate cd /etc/openldap openssl genrsa 1024 >server.key chmod 0440 server.key chown root:ldap server.key openssl req -new -key server.key -x509 -days 100 -out server.crt Entered all the important stuff chmod 0444 server.crt Checked certificate and it looked acceptable openssl x509 -text -in server.crt Changed following lines in slapd.conf: TLSCertificateFile /etc/openldap/server.crt TLSCertificateKeyFile /etc/openldap/server.key Added following line to /etc/openldap/ldap.conf TLS_CACERT /etc/openldap/server.crt A command not using encryption works fine: ldapsearch -x -H ldap://example.com -b "" -s base 'objectclass=*' '+' '*' A command using encryption fails: ldapsearch -x -Z -H ldap://example.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Here are the ldap log entries when loglevel is set to -1: Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1 descriptor Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on: Nov 16 16:53:47 testsvr slapd[19533]: Nov 16 16:53:47 testsvr slapd[19533]: >>> slap_listener(ldap:///) Nov 16 16:53:47 testsvr slapd[19533]: daemon: listen=8, new connection on 14 Nov 16 16:53:47 testsvr slapd[19533]: daemon: added 14r (active) listener=(nil) Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 ACCEPT from IP=1.1.1.1:3535 (IP=0.0.0.0:389) Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1 descriptor Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on: Nov 16 16:53:47 testsvr slapd[19533]: 14r Nov 16 16:53:47 testsvr slapd[19533]: Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14 Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14) Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got connid=4 Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): checking for input on id=4 Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: do_extended Nov 16 16:53:47 testsvr slapd[19533]: do_extended: oid=1.3.6.1.4.1.1466.20037 Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 STARTTLS Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_extended: err=0 oid= len=0 Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_response: msgid=1 tag=120 err=0 Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 RESULT oid= err=0 text= Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1 descriptor Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on: Nov 16 16:53:47 testsvr slapd[19533]: 14r Nov 16 16:53:47 testsvr slapd[19533]: Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14 Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14) Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got connid=4 Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): checking for input on id=4 Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1 descriptor Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on: Nov 16 16:53:47 testsvr slapd[19533]: 14r Nov 16 16:53:47 testsvr slapd[19533]: Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14 Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14) Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got connid=4 Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): checking for input on id=4 Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): TLS accept failure error=-1 id=4, closing Nov 16 16:53:47 testsvr slapd[19533]: connection_closing: readying conn=4 sd=14 for close Nov 16 16:53:47 testsvr slapd[19533]: connection_close: conn=4 sd=-1 Nov 16 16:53:47 testsvr slapd[19533]: daemon: removing 14 Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 closed (TLS negotiation failure) Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1 descriptor Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on: Nov 16 16:53:47 testsvr slapd[19533]: Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8 active_threads=0 tvp=zero It looks like TLS started OK, then there was a negotiation failure with slapd. I figure I just missed something simple here, but have spent quite a bit of time not getting it figured out. Any insights? Thank you. ---- Not all who wander are lost. | ---- ___o | chuck.keagle(a)boeing.com Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434

15 years, 6 months

9
15
0 / 0

Re: syncrepl LDIF kickstart file

by Gavin Henry

<quote who="Greg Martin"> > > > Gavin Henry wrote: >>> >>> >> >> Can you slapcat your config back out and show us everything? >> >> slapdcat -n 0 > config.ldif >> >> /usr/sbin/slapd not /usr/local/libexec/slapd ? >> >> > > Gavin, this is slightly of-topic. I'm curious as to your statement above. > my Slackware package installs slapd to /usr/libexec/slapd. There is no > other version. Your statement seems to imply there could be two > versions. Can you help me understand why? Default configure; make depend; make and make install installs slapd into /usr/local/libexec Distros put the binaries where they see fit. > > And while I'm at it, can someone explain how slapd knows to act > differently when called from one link, say, slapcat, over another, say > slapdn. I've been using linux for 5-6 years and have not run across > this particular behavior. Does slapd read argv(0) and act differently > based on that? > symlinks Test: [ghenry@suretec ~]$ cat test.pl #!/usr/bin/perl use strict; use warnings; print $0, "\n"; [ghenry@suretec ~]$ ./test.pl ./test.pl [ghenry@suretec ~]$ ln -s test.pl slapcat [ghenry@suretec ~]$ ./slapcat ./slapcat [ghenry@suretec ~]$ ls -l /usr/local/sbin/slapcat lrwxrwxrwx 1 root root 16 2007-10-31 19:47 /usr/local/sbin/slapcat -> ../libexec/slapd

15 years, 6 months

1
0
0 / 0

Re: syncrepl LDIF kickstart file

by Scott Classen

> Scott Classen wrote: > > Hello openldap community, > > > > I have openldap 2.4.6 running on 2 machines. > > > > one master server with a BDB database acting as the syncrepl > provider (the > syncrep[l overlay has been added to the database configuration > directive).> > > I now have set up a second machine also running openldap 2.4.6 > and I've > > been > playing around with it trying to get it to act as a syncrepl consumer. > > > > I remember reading somewhere in the openldap documentation that > it should > > be > fairly straight forward with a simple 10-12 line LDIF file to get > the synrepl > consumer synched up with the provider. > > > > Can someone please post an example of such a simple kickstart file? > > Thanks ^6, > > Sounds vaguely like you want this > (from <A HREF="http://www.openldap.org/pub/hyc/LDAPcon2007s.pdf" target="l">http://www.openldap.org/pub/hyc/LDAPcon2007s.pdf</A> page 20) > > ### > dn: cn=config > objectclass: olcglobal > cn: config > > dn: olcdatabase={0}config,cn=config > objectclass: olcdatabaseconfig > olcdatabase: {0}config > olcsyncrepl: rid=001 provider=$URI binddn="cn=config" > bindmethod=simple   credentials=$CONFIGPW searchbase="cn=config" > type=refreshOnly   interval=00:00:00:10 > ### > > Slapadding this will fully initialize a new server if you point it > at an > existing provider, but of course you need to have the syncprov > overlay > configured on the config database of the provider. > > See test049 in the test suite for a more detailed example. > Yes, that is what I am interested in. I added the syncprov overlay to the cn=config directive on the PROVIDER as such: cn=config olcDatabase={0}config olcOverlay={0}syncprov Now on a brand new CONSUMER machine I created the following LDIF file (sync-seed.ldif): dn: cn=config objectClass: olcGlobal cn: config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=ldapadmin,cn=config olcRootPW: {SSHA}mysoopersecretpasswd olcsyncrepl: rid=001 provider=ldap://my.provider.machine binddn="cn=ldapadmin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshOnly interval=00:00:00:10 I then put the file in my openldap dir and cd there: cd /usr/local/etc/openldap mkdir slapd.d slapadd -b "cn=config" -F slapd.d -l sync-seed.ldif all is OK I then start slapd: /usr/sbin/slapd -d 256 ... slapd starting syncrepl_message_to_entry: rid=001 mods check (olcDbConfig: value #6 provided more than once) do_syncrepl: rid=001 quitting Hmmm what have I done wrong? Thanks, Scott

15 years, 6 months

2
2
0 / 0

How can I stop ldapsearch -x?

by Amir Saad

I've setup Kerberos & OpenLDAP on my Debian 4 network successfully. ldapsearch -Y GSSAPI is working perfectly. How can I stop ldapsearch -x? I wanna disable it and allow only GSSAPI, is this possible? how? Thank you Amir _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.as...

15 years, 6 months

2
1
0 / 0

pcache configuration

by Nathan Morrow

I have spent some good time playing with ldap queries and think I have a good grasp on it. The application is simple. I am querying a Microsoft server for email address info. Simple. I have setup slapd to act as a proxy. And I can perform my lookups with no problem, but when I try to turn on pcache options. Slapd gives no configuration errors and exits on startup. Since it should pull all database info, do I need an initial database? Where can I generate more errors on the abnormal exit? Running on fedora, The basics of my config that are working are: database ldap suffix "dc=office,dc=spotswood,dc=org" rootdn "dc=office,dc=spotswood,dc=org" rootpw maildata uri "ldap://192.168.0.2:389/" # overlay pcache # proxyCache bdb 100000 1 1000 100 # cachesize 20 # proxyAttrset 0 mail postaladdress telephonenumber # proxyTemplate (sn=) 0 3600 # proxyTemplate (&(sn=)(givenName=)) 0 3600 # proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600 directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub Again, the above works, But when I uncomment the cache stuff. Slapd doesn't give errors but doesn't keep running either. Everything I read on the net references an old document about the concept, but nothing about actual configuration that works with the current release. Anyone accomplish this? Looking for any help before having to get in source code. Nathan

15 years, 6 months

7
11
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software November 2007