syncrepl LDIF kickstart file
by Scott Classen
Hello openldap community,
I have openldap 2.4.6 running on 2 machines.
one master server with a BDB database acting as the syncrepl provider (the syncrep[l overlay has been added to the database configuration directive).
I now have set up a second machine also running openldap 2.4.6 and I've been playing around with it trying to get it to act as a syncrepl consumer.
I remember reading somewhere in the openldap documentation that it should be fairly straight forward with a simple 10-12 line LDIF file to get the synrepl consumer synched up with the provider.
Can someone please post an example of such a simple kickstart file?
Thanks ^6,
Scott
14 years
Unexpected Attribute Behavior
by Kevin Burnett
I am implementing an OpenLDAP installation that utilizes inetOrgPerson
as the main user structure with roughly forty attributes that may be
used with each user. Of the forty attributes, I have added a custom
schema which includes 15 custom attributes. I am using MySQL 5 as the
backend via backsql.
The problem I am seeing is that for a given user, if I write values to
all 40 attributes and then read them back using an LDAP browser, three
of the attributes do not return their values. The three attributes
are: cn, userPassword, and employeeType.
I have run slapd with the debug level of -1 (all) to capture a trace
of what happens when I read an attribute that correctly returns its
value and also a trace of reading an attribute that does not return
its value (cn, userPassword, or employeeType). Comparing the two
traces, the only appreciable difference between the two is as follows,
which is in the failing trace:
==>backsql_id2entry()
backsql_id2entry(): custom attribute list
==>backsql_get_attr_vals(): oc="inetOrgPerson" attr="employeeType" keyval=8
backsql_get_attr_vals(): error executing attribute count query 'SELECT
COUNT(*) FROM users WHERE users.id=? AND '
Return code: -1
nativeErrCode=1064 SQLengineState=37000 msg="[MySQL][ODBC 3.51
Driver][mysqld-5.0.45-community-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '' at line 1"
==>backsql_get_attr_vals(): oc="inetOrgPerson" attr="objectClass" keyval=8
I also set up a MySQL error trace and ran the two attribute reads and
came up with the only appreciable difference being the SQL statement,
as above:
43 Query SELECT COUNT(*) FROM users WHERE users.id=8 AND
It appears to me that the SQL statement is not being completed for
some reason, since in the slapd trace where the attribute read is
successful, the backsql_get_attr_vals(); just prints out, number of
values in query: 1, followed by, number of values in query: 0,
followed by the actual data packets containing the value of the
attribute.
I can provide additional information if needed. I was unable to find
information about this problem on the OpenLDAP site.
Kevin Burnett
14 years
[Unofficial] OpenLDAP Weekly News Issue 4
by Gavin Henry
Dear All,
The fourth issue is out:
http://blog.suretecsystems.com
Summary:
- More uptake on OpenLDAP 2.4
- Is OpenLDAP really that compliant?
- Update on Build Farm progress
- OpenLDAP Documentation updates
- How fast can it go!
- OpenLDAP Development
- Selected user issues and solutions discussed
Thanks,
Gavin.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
14 years
can't get ppolicy to work
by wahdi
Hi all,
I have problem getting ppolicy working..
I use 2.3.38 version(bichan rpms), and this is a part of my slapd.conf :
----------------------------------------------------------
...
include /usr/share/openldap2.3/schema/ppolicy.schema
moduleload ppolicy.la
moduleload syncprov.la
moduleload unique.la
moduleload accesslog.la
moduleload auditlog.la
#
security ssf=1 update_ssf=112 simple_bind=64
#
database bdb
suffix "dc=exemple,dc=com"
rootdn "cn=admin,ou=system,dc=exemple,dc=com"
rootpw {SSHA}hashedpassword
directory /usr/local/ldap
mode 0600
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
##ppolicy
ppolicy_default "cn=default,ou=policies,ou=system,dc=exemple,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
--------------------------------------------------------------------------------------
This is the ldiff file that I used to add the default policy:
dn: cn=default,ou=policies,ou=system,dc=exemple,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: 2.5.4.35
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinage: 60
pwdMaxAge: 0
pwdMinLength: 6
pwdLockout: TRUE
pwdMaxFailure: 3
pwdLockoutDuration: 60
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdMustChange: TRUE
###
I didn't see any errors in slapd log file nor when I add this entry!
But When I change new users password (after ppolicy installation and as
users (not rootdn), there is no password policy applied:
I changed pwdCheckQuality from 1 to 2, but the results is the same!!
Any help will be appreciated.
Wadi..
14 years
openldap 2.4.6 and GSSAPI/kerberos
by David E. Cross
Ok... after a bit of a struggle, I have gotten OpenLDAP 2.4.6 going with
MIT kerberos 1.6.3 with some small caveats...
1: (and you know this already), the documentation for the slapd.d
format is.. uhm.. bad. For example the "slapd.ldif" in the source isn't
even valid, the "module" section (commented out, but there) is missing the
"cn:" specifier.
2: The documentation throughout for specifying entries like the RootDN
tells you (via example) to double quote it.. this generates errors.
2: There is something awry with the kerberos 5/gssapi setup for using a
krb5 credential as a RootDN; according to your documentation it should be
of the form:
uid=user/instance,cn=realm.com,cn=gssapi,cn=auth
This isn't working for me. After enabling Auth logging I found that it
authenticated me as:
uid=user/instance,cn=gssapi,cn=auth
(note the lack of realm...) "why?" have I botched something (which I may
have), or is there an error with the documentation?
--
David E. Cross
14 years
back-sql ldap_attr_mappings param_order column
by Kevin Burnett
Hello,
I am using:
OpenLDAP 2.3.38
on RHEL 4
Back-sql
with MySQL
Quick question. In the ldap_attr_mappings table there is a column
called param_order. I have discovered that if I set it to the default
of 3, that the information is passed to my stored procedures as
attribute value, keyval (id). What are the other possible settings for
this column and which setting will give me keyvalue (id), attribute
value ?
Thanks for creating a great product!
Kevin Burnett
14 years
Openldap 2.4.6 with slapd.conf
by Patai Sangbutsarakum
Dear lister,
I just upgrade to 2.4.6 and also Berkeley db 4.6.
I'm using the same slapd.conf that was used with 2.3.38.
I have the problem in the sql backend.
Slapd cannot start if slapd.conf has more than 1 sql backend at the same time.
If I have 2 sql backend, from -d -1 will complain about the 2nd backend
as I snipped.
>Return code: -2
>backsql_db_open(): schema mapping failed, exiting
>backend_startup_one: bi_db_open failed! (1)
At first I thought it is about my mappings, but
If I comment the first sql backend out.
With same second database that slapd used to complain,
the slapd could start and run fine (so, the mappings is correct).
It seem like 2 of sql backend cannot stay in one slapd.conf
Anyway, dbd database still can have 2 or more at the same time;
slapd can start.
---------------- slapd.conf --------------------
database sql
## This following is for the sample database
suffix "dc=example,dc=com"
dbname bsql
dbuser manager
dbpasswd secret
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval)
VALUES (?,?,?,?)"
has_ldapinfo_dn_ru no
#
#
# SQL database definitions
##########################################
#database sql
## This following is for the sample database
#suffix "dc=clone,dc=com"
#dbname setup1
#dbuser richard
#dbpasswd sinn
#subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
#insentry_stmt "INSERT INTO ldap_entries
(dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
#has_ldapinfo_dn_ru no
------------------------ END slapd.conf -------------------------------
please suggest
Patrick
14 years
Re: OpenLDAP at Systems Munich
by Gavin Henry
<quote who="Gavin Henry">
> Dieter Kluenter wrote:
>> Hi,
>> as in the past few years OpenLDAP will be present at the Systems,
>> Munich, http://www.systems-world.de/
>> as part of Open Source Community booth. We (Peter Gietz and me) are in
>> need of *volunteers* to man the booth. Whoever is willing to join the
>> team may contact either Peter Gietz or me asap.
>>
>> -Dieter
>>
>
> Is this you Dieter?
>
> http://video.google.com/videoplay?docid=-501629654941144701
It's dated Jun 3rd. What event was this? What are their names? ;-)
Gavin.
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
14 years
OpenLDAP at Systems Munich
by Dieter Kluenter
Hi,
as in the past few years OpenLDAP will be present at the Systems,
Munich, http://www.systems-world.de/
as part of Open Source Community booth. We (Peter Gietz and me) are in
need of *volunteers* to man the booth. Whoever is willing to join the
team may contact either Peter Gietz or me asap.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
14 years
Re: [back-sql] possible?
by Gavin Henry
<quote who="Patai Sangbutsarakum">
<snip>
> Hope this make sense
> Please Please suggest
>
I suggest you try to explain to problem you are trying to solve here. Why
do you need the sql backend to start with? It's usually the very last
option to chose, where you are forced due to legacy applications and many
other reasons.
Gavin.
14 years
