December 2007 - openldap-software

by fabrizio francavilla

Hi guys, i'have a problem. I have to delete an attribute and add another attribute on my openldap server schema. I'have to delete this entry attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.1.1.0.0 ) and change with this one attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) I'm trying some ldapmodify but everytime i've received a syntax error.. cat delete.ldif dn:cn=schema changetype:modify delete:attributeTypes attributetypes ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.1.1.0.0 ) ldapmodify -x -H ldaps://slave-sv.sv.poste.it:636 -D "cn=admin,dc=slapd,dc=cs,dc=poste,dc=it" -w ****** -f delete.ldif ldapmodify: invalid format (line 4) entry: "cn=schema" Thanks in advance!! -- ----------------------------------- Fabrizio Francavilla Service Centers Unit - Servizi Sistemistici Postecom S.p.A---- -----------------------------------

15 years, 11 months

2
1
0 / 0

syncrepl_message_to_op

by Digant C Kasundra

I noticed this in my logs when replication failed. Besides increasing the number of locks, is there something larger that is going on that might be causing a problem? Dec 12 15:06:01 ldap4 slapd[14212]: bdb(dc=stanford,dc=edu): Lock table is out of available locks Dec 12 15:06:01 ldap4 slapd[14212]: => bdb_idl_delete_key: c_get id failed: Cannot allocate memory (12) Dec 12 15:06:01 ldap4 slapd[14212]: Attribute index delete failure Dec 12 15:06:01 ldap4 slapd[14212]: null_callback: error code 0x50 Dec 12 15:06:01 ldap4 slapd[14212]: syncrepl_message_to_op: rid 000 be_modify suRegID=xxxx,cn=People,dc=Stanford,dc=edu (80)

15 years, 11 months

3
2
0 / 0

Regarding distributed directory services : ldap_add_s: Insufficient access (50)

by Rakesh Yadav

Hi , my slapd.conf file on parent server is like this : include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/new_core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Directives needed to implement policy: #access to dn.base="" by * read #access to dn.base="cn=Subschema" by * read # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! olcAccess: to * by * write access to * by * write by anonymous auth by * read ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=cdac,dc=in" rootdn "cn=Manager,dc=cdac,dc=in" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ----------------------------------------------------------------------------------------------------------------------------------------- and slapd.conf on child server is like this : include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/new_core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args allow update_anon #allow bind_anon_dn #allow bind_anon_cred #olcAccess: to dn.children="FileName=Development,dc=cdac,dc=in" by * write #bydn.subtree="FileName=Development,dc=cdac,dc=in" write olcAccess: to * by * write ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "FileName=Development,dc=cdac,dc=in" rootdn "cn=Manager,FileName=Development,dc=cdac,dc=in" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ----------------------------------------------------------------------------------------- when i am trying to add entry under child server through parent server getting error this : bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: op=104 target="FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in" matched="FileName=Development,dc=cdac,dc=in" ldap_url_parse_ext(ldap://192.168.4.147/FileName=Development,dc=cdac,dc=in) send_ldap_result: conn=1 op=1 p=3 send_ldap_response: msgid=2 tag=105 err=10 ber_flush: 143 bytes to sd 11 ldap_add_s: Insufficient access (50) additional info: no write access to parent connection_get(11): got connid=1 connection_read(11): checking for input on id=1 ber_get_next ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=1 sd=11 for close connection_close: conn=1 sd=11 Actually ldap_search is successfully done and we are able to get entries of child server from parent server. So, there is no connectivity error. Please reply me as soon as possible Thanks and Regards, Rakesh Yadav

15 years, 11 months

4
6
0 / 0

rwm-overlay and ldap-backend do suit me ?

by Frava

Hi all, I'm trying to setup a ldap server with openldap 2.3 and I need some lights about how to do it. I explain: My company already have a central ldap server (openldap 2.2) on which I can find all users and authenticate them, but the corresponding attributes (homedir, shell, gidnumber) aren't relevant for my department. My problem is that I want to use the central ldap serveur for authentification purpose and store locally the other datas. Yeah, it seems easy to solve using the rwm overlay and a ldap backend, but it isn't, because the users are located on different OUs on the remote ldap server. So there is the relevant part of my slapd.conf, which works great for the first user unit : #################################### overlay rwm rwm-rewriteEngine on rwm-rewriteContext bindDN # path to the remote users : ou="unit_number",ou=people,dc=example,dc=com # path to the local users : cn=users,dc=local,dc=example,dc=com rwm-rewriteRule "^uid=([^,]+),cn=users,dc=local,dc=example,dc=com$" "uid=$1,ou=unit_1,ou=people,dc=example,dc=com" ":@" # Database for remote Authentification database ldap suffix "ou=people,dc=example,dc=com" uri "ldap://remote-ldap.example.com:389/" restrict read write extended # Local Database database bdb suffix "dc=local,dc=example,dc=com" #################################### I tried to complete my setup by adding a line like : uri "ldap://remote- ldap.example.com:389/ou=people,dc=example,dc=com??sub?(&(objectClass=posixAccount)(uid=$1)) " but the ldap backend isn't designed to do that ^^ So, is there a way to work around it ? Thanks for your help, Frava.

15 years, 11 months

2
3
0 / 0

Regarding distributed directory services

by Anjali Arora

Hi, my slapd.conf file is like this : # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/new_core.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=cdac,dc=in" rootdn "cn=Manager,dc=cdac,dc=in" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq dn: FileName=home,dc=cdac,dc=in FileName: home ref: ldap://neo00/FileName=home,dc=cdac,dc=in objectClass: referral objectClass: extensibleObject and i have added these additional members in the default core.schema : objectclass ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY ) attributetype ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'named reference - a labeledURI' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE distributedOperation ) objectclass ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'named subordinate reference object' STRUCTURAL MUST ref ) and when i am going to start slapd it will give me error : root@neo05:/root/anjali/openldap/openldap-2.3.38/servers/slapd @(#) $OpenLDAP: slapd 2.3.38 (Dec 10 2007 16:07:48) $ root@neo05:/root/anjali/openldap/openldap-2.3.38/servers/slapd daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 1 listeners opened neo05 init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (September 21, 2004) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (September 21, 2004) /usr/local/etc/openldap/schema/core.schema: line 597: attribute type " 2.16.840.1.113730.3.1.34" is operational neo05 destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. [1]+ Exit 1 /usr/local/libexec/slapd -V -n neo05 -4 -d 1 Please give me solution for this problem as soon as possible. Actually i want to do the communication between two ldap servers in chaining fasion Thanks and Regards, Anjali

15 years, 11 months

3
2
0 / 0

slapd seg faults when 'ppolicy_default' is enabled

by R.B.

Hi; I'm in the process of configuring ppolicy for OpenLDAP using Buchan's RPMs and it seems that after adding my policy and enabling it in my slapd.conf file, slapd seg faults (see output below). If I uncomment the 'ppolicy_default' line, the server starts fine and continues to serve. Help? Thank you! Rafael OS: RHEL4 OpenLDAP: 2.3.38 - buchan's RPMs for RHEL4 Output: ######## -bash-3.00# slapd2.3 -u ldap -g ldap -l LOCAL0 -s 0 -f etc/slapd.conf -h ldap:/// -d 1 @(#) $OpenLDAP: slapd 2.3.38 (Aug 23 2007 12:54:24) $ bgmilne@build.telkomsa.net:/home/bgmilne/rpm/BUILD/openldap-2.3.38/servers/slapd daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 2 listeners opened slapd2.3 init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=swa,dc=com> <<< dnPrettyNormal: <dc=swa,dc=com>, <dc=swa,dc=com> >>> dnPrettyNormal: <cn=Manager,dc=swa,dc=com> <<< dnPrettyNormal: <cn=Manager,dc=swa,dc=com>, <cn=manager,dc=swa,dc=com> >>> dnPrettyNormal: <cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com> <<< dnPrettyNormal: <cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com>, <cn=swapasswordpolicy,ou=policies,dc=swa,dc=com> ==> ppolicy_cf_default ==> ppolicy_cf_default add >>> dnNormalize: <cn=Subschema> Segmentation fault ######## slapd.conf: ######## include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema access to attrs=shadowLastChange,userPassword by self write by anonymous auth by * none access to * by * read pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args modulepath /usr/lib/openldap2.3 moduleload ppolicy.la loglevel 1 database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}xxxxx directory /cluster/agis-ldap/ldap-master/var/lib/ldap overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout cachesize 100000 idlcachesize 100000 checkpoint 256 5 index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial ########

15 years, 11 months

3
3
0 / 0

logging

by Craig

Hi, I was recently looking at our logs and trying to figure out what an appropriate logging level is for a stable, production system. What I would really like is a log (or logs) that contain: - the request made - the client (IP) that made the request - how much time it took to answer the request - any errors, with LDAP error codes including errors with configs - syncrepl info, eg: "sync completed added 2 entries, changed 4" The current log level scheme doesn't seem to support that. (Please correct me if I'm wrong.) I guess I am looking for something more like Apache's logging (access/request log and an error log). While openldap uses syslog, there is no mention of it supporting "debug/info/error/warn" type of log differentiation. Is it possible to do all of the above "today"? If not, is it "on the plan"? Is there any plan to move away from using syslog? Or at least, make it configurable which syslog facility to use? (Not having "local4" hardcoded.) Any comments would be appreciated. TIA! Craig

15 years, 11 months

7
16
0 / 0

Re: documentation [was Re: logging]

by Gavin Henry

<quote who="Craig"> > Howard Chu wrote: >> When you're looking for a software feature, the manpages and Admin Guide >> should be your first resort. Pretty much every feature is documented. > > This morning there were some posts about "rewriting overlays". So, I > wanted to learn more about what they could do. I resisted the urge to > use Google and went directly to the OpenLDAP Admin doc: > > http://www.openldap.org/doc/admin24/ Excellent. > > First, let me say that the docs do look really complete. But, this is > good and bad. The bad part is that it is a little overwhelming. Can a > search be added to the admin docs? I wanted to know more about a > specific overlay and didn't see it in the table of contents. Hmmm, which one? Every overlay is in the TOC. > So, I > didn't know where to start... Google is the next viable option, IMO. > > The FAQ-o-matic is very nice, but I think an updated interface would > help a great deal. (Not sure if the "faq-o-matic" package allows for > easy changes to the interface. And I am NOT suggesting removing a > perfectly good piece of software for something that looks nicer, but is > less functional.) The search works very well, I've never understood why it seems to be a problem? > > Lastly, the man pages... Again, the size is a bit daunting. There are 78 > man pages with 2.3.35. (With an additional 121 symlinked files.) That's > quite a bit when you're looking for one specific thing and don't really > know where to start. There are unix tools for this; apropos: [ghenry@suretec]$ apropos rewrite CREATE RULE [create_rule] (7) - define a new rewrite rule DROP RULE [drop_rule] (7) - remove a rewrite rule TIFFRewriteDirectory [TIFFWriteDirectory] (3tiff) - write the current directory in an open TIFF file creat (3p) - create a new file or rewrite an existing one git-filter-branch (1) - Rewrite branches sepol_genbools (3) - Rewrite a binary policy with different boolean settings slapo-rwm (5) - rewrite/remap overlay to slapd See the last one above. > I want to be very clear; I am NOT knocking the docs > at all. As I started looking around more, it is a lot more clear how > things are laid out. But, when LDAP is just a tool and not a core part > of my job, it is difficult to spend 2 hours reading docs for a feature > we may not even need. I was just looking for a quick description. My > hope is that my experience gives you more insight to what, at least, one > sysadmin finds difficult. (If I am the minority, then prioritize my > thoughts appropriately.) 2 hrs? >> When a feature in the documentation isn't clear enough to you, it's fine >> to ask on the mailing list, but even better is to submit an ITS pointing >> out exactly what isn't clear. Sometimes we see problems on the list that > > So (just to be clear), you'd want me to file a bug for adding a search > box to the admin docs? I looked at the bug pages and didn't see anything > about searching the docs: > > http://www.openldap.org/its/index.cgi/Documentation Yes please. File it anywhere, we'll assign it. > > On a side note, I noticed that jitterbug is no longer being maintained. > Have you considered migrating to, say, Bugzilla? (I do realize how big > of an undertaking that is, I am *just asking*. :> ) It's work fine for the OpenLDAP project. There are plans, just not very hig priority ;-)

15 years, 11 months

3
2
0 / 0

Re: Help Needed with mirrormode configuration in 2.4.6

by Gavin Henry

<quote who="Savithri"> > Hi, > Im using OpenLDAP 2.4.6 and trying to use the mirrormode and syncrepl. > My setup has 2 LDAP nodes, one as master and other as slave through a > VIP. > When the master goes down, the slave will become master and vice-versa. > At any point to keep both the LDAP in sync I want to use mirror mode and > syncrepl and Im using the following conf file. > > database bdb > directory $MMAIL_VAR_DIR/ldap/ipu-mail-ldap > suffix "o=mereonmail" > rootdn "cn=admin,o=mereonmail" > rootpw secret > index objectClass,entryCSN,entryUUID pres,eq > index mail,cn eq,sub > > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > > syncrepl rid=1 > provider=ldap://${MMAIL_LDAP_PEER_HOSTNAME}:$MMAIL_LDAP_PORT > bindmethod=simple > binddn="cn=admin,o=mereonmail" > credentials=ipunity > filter="(objectClass=*)" > searchbase="o=mereonmail" > schemachecking=on > type=refreshAndPersist > interval=00:00:00:01 > retry="60 +" > > mirrormode on > > But with the above conf file an the both the nodes ( rid = 2 on the other The docs on the main site are out of date, I did them wrong the first time. The latest version isn't up yet for MirrorMode, but will be when 2.4.7 is out this week. Each config has to be the same, including rid, except you now need: serverID: 1 on one node and: serverID: 2 on the other. Apart from that, both configs are the same (obviously changing where they point too ;-) ). Search "man slapd.conf" for serverID Gavin.

15 years, 11 months

1
0
0 / 0

Help Needed with mirrormode configuration in 2.4.6

by Savithri

Hi, Im using OpenLDAP 2.4.6 and trying to use the mirrormode and syncrepl. My setup has 2 LDAP nodes, one as master and other as slave through a VIP. When the master goes down, the slave will become master and vice-versa. At any point to keep both the LDAP in sync I want to use mirror mode and syncrepl and Im using the following conf file. database bdb directory $MMAIL_VAR_DIR/ldap/ipu-mail-ldap suffix "o=mereonmail" rootdn "cn=admin,o=mereonmail" rootpw secret index objectClass,entryCSN,entryUUID pres,eq index mail,cn eq,sub overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=1 provider=ldap://${MMAIL_LDAP_PEER_HOSTNAME}:$MMAIL_LDAP_PORT bindmethod=simple binddn="cn=admin,o=mereonmail" credentials=ipunity filter="(objectClass=*)" searchbase="o=mereonmail" schemachecking=on type=refreshAndPersist interval=00:00:00:01 retry="60 +" mirrormode on But with the above conf file an the both the nodes ( rid = 2 on the other node2), the replication does not seem to work. Suppose, node1 (master) has 2 add entires, these entries does not come in the slave. Also when I restart the slave, the entries in the master LDAP is deleted. Please let me know the correct conf for Mirrormode and sync repl. Also would like to know if OpenLDAP 2.4.6 supports mirrormode? IThanks in advance for your help. Savithri --------------------------------- Never miss a thing. Make Yahoo your homepage.

15 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2007