openldap-software February 2007

openldap-software@openldap.org

94 participants
112 discussions

Can't add data to new ou
by gandalf istari 04 Feb '07

04 Feb '07

Hi, I'm quite new with LDAP so .... i have created a new ou with this command: slapadd -l ./new-od.ldif without any errors dn: ou=Recipients_Seny, ou=Recipients, ou=not_users, ou=users_sxo, dc=internal,dc=sodexho,dc=be ou: Recipients_Seny objectClass: top objectClass: organizationalUnit when i add data i get this error: igor:~# ldapadd -c -x -S /var/log/sync-ldap/ldapadd-userinfo.log -D "cn=admin,dc=internal,dc=sodexh o,dc=be" -w xxx -h 127.0.0.1 -P 3 -f ./sos.ldif adding new entry "CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=intern al,DC=sodexho,DC=be" ldap_add: No such object (32) matched DN: ou=Recipients,ou=not_users,ou=users_sxo,dc=internal,dc=sodexho,dc=be the ldif: dn: CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=internal,DC=sodexho,DC=be cn: SOSCATALOG displayName: SOSCATALOG mail: SOSCATALOG(a)sodexho-be.com givenName: SOSCATALOG objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person sn: SOSCATALOG what must be done to solve this? TIA

3 4

setting up "redudant" ldap service
by Markus Krause 03 Feb '07

03 Feb '07

Hi all! Although my questions are in some aspects similar to the ones in the thread "Multi Master Enviornment for Openldap 2.3" please allow me to start an own one as my situation is slightly different. first what i have: * two servers, runnung slesl0 (in a testing environment) * one is configures as master (i think it should be called the provider): ldapserv2 * the second should act as slave (consumer): ldapserv1 * both serve as database for freeradius, dhcpd and bind9, which are working greatly together! * keeping data consistant is done by syncrepl, which works also great! now the questions: 1) how to handle write requests sent by clients to the slave (ldapserv1)? i tried to setup slapo-chain but obviously failed since clients which can not handle referrals fail to write data (they get the error: LDAP_REFERRAL) if they send it to the slave ldapserv1, or am i missunderstanding the concept? my slapd.conf on the slave looks like (relevant part only): --- slapd.conf ### database definitions etc. [skipped] #### chain overlay definition overlay chain chain-rebind-as-user FALSE chain-uri "ldaps://ldapserv2.biochem.mpg.de" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=manager,o=test" credentials="secret" mode="self" syncrepl rid=2 provider=ldaps://ldapserv2.biochem.mpg.de type=refreshAndPersist retry=1,5,5,6,30,+ interval=00:00:01:00 searchbase="o=test" filter="(objectclass=*)" scope=sub attrs="*" schemachecking=off binddn="cn=manager,o=test" bindmethod=simple credentials="secret" sizelimit=unlimited ### update referral updateref ldaps://ldapserv2.biochem.mpg.de ---- end of slapd.conf as said, syncrepl works perfectly, but write requests (via php web interface) to ldapserv1 are not forwarded (as i would expect/want) to ldapserv2. what am i doing wrong here? 2) what to do if ldapserv2 (master) is unrechable, is it possible just to "switch" ldapserv1 to be a master (commenting out the syncrepl section, chain and updateref and restart openldap) or is there a better method? 3) a "conceptual" question: for production use i think a two server setup may be not reliable enough (as we plan to do all authentication via ldap, both user and devices on switches). what would be the "optimal" setup? i thought of something like one master, which is not addressed to by clients directly, and two slaves which chain write requests to the master and answer read request themself, clients only contact the two slaves. is this a reasonable setup or what would be a preferrable installation? 4) what about the mentioned (in another thread) mirrormode? would this serve my needs better or is the above scenario "good enough"? but mirrormode is only available in openldap 2.4? thanks in advance for any hints and comments! with best regards markus -- Markus Krause email: krause(a)biochem.mpg.de Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux(a)biochem.mpg.de

1 0

Re: syncrepl only works as rootdn
by Howard Chu 02 Feb '07

02 Feb '07

Redirected from -bugs; there is no evidence of a bug here. Christopher Cowart wrote: > Hello, > > I have 3 installations of openldap-server-2.3.33 running on FreeBSD > 6.1-REL: ldap-master, ldap1, ldap2. I am using syncrepl to replicate > ldap-master to ldap1 and ldap2. The replicated directory is missing > entire ou branches in my tree. > > I have created the following objects in my directory: > cn=syncrepl-ldap1,dc=example,dc=com > cn=syncrepl-ldap2,dc=example,dc=com > > I've made the following configurations on the provider: > | access to * > | by dn.regex="cn=syncrepl-(ldap1|ldap2),dc=example,dc=com" read > | by * break > | > | # More ACLs Follow > | > | # For Sync Replication > | overlay syncprov > | syncprov-checkpoint 100 10 > | syncprov-sessionlog 100 More information is needed. There's no indication that ACLs are any problem here. Of course, you've listed your rootdn in your ACLs, which is useless. One possible explanation is that you didn't raise the sizelimits for the syncrepl users, so they weren't able to get a full refresh. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: syncrepl only works as rootdn
by Christopher Cowart 01 Feb '07

01 Feb '07

On Thu, Feb 01, 2007 at 08:59:39PM -0800, Christopher Cowart wrote: > On Thu, Feb 01, 2007 at 08:25:52PM -0800, Howard Chu wrote: > > Redirected from -bugs; there is no evidence of a bug here. > Perhaps the -software list charter should include mention of support > issues or questions? As it was, -bugs seemed most appropriate. > > > Christopher Cowart wrote: > > >Hello, > > > > > >I have 3 installations of openldap-server-2.3.33 running on FreeBSD > > >6.1-REL: ldap-master, ldap1, ldap2. I am using syncrepl to replicate > > >ldap-master to ldap1 and ldap2. The replicated directory is missing > > >entire ou branches in my tree. > > > > > >I have created the following objects in my directory: > > >cn=syncrepl-ldap1,dc=example,dc=com > > >cn=syncrepl-ldap2,dc=example,dc=com > > > > > >I've made the following configurations on the provider: > > >| access to * > > >| by dn.regex="cn=syncrepl-(ldap1|ldap2),dc=example,dc=com" read > > >| by * break > > >| > > >| # More ACLs Follow > > >| > > >| # For Sync Replication > > >| overlay syncprov > > >| syncprov-checkpoint 100 10 > > >| syncprov-sessionlog 100 > > > > More information is needed. There's no indication that ACLs are any problem > > here. Of course, you've listed your rootdn in your ACLs, which is useless. > > Could you suggest what other information might be helpful? I thought the > fact that syncrepl works when binding as the rootdn but not the syncrepl > user indicated ACLs. What makes you think otherwise? > > > One possible explanation is that you didn't raise the sizelimits for the > > syncrepl users, so they weren't able to get a full refresh. > > Thanks for this suggestion. I've added this (from a forum post): > | limits dn.regex="cn=syncrepl-ldap1,dc=example,dc=com" > | time.soft=unlimited time.hard=unlimited size.soft=unlimited > | size.hard=unlimited > > After restarting the provider, the consumer is still not replicating the > missing portions of the directory. Do you have any other suggestions? Just to clarify, I also blew away the backend on the consumer and restarted that instance of slapd. -- Chris Cowart Network and Infrastructure Systems Administrator RSSP-IT, UC Berkeley "May all your pushes be popped"

2 1

Re: syncrepl only works as rootdn
by Howard Chu 01 Feb '07

01 Feb '07

Christopher Cowart wrote: > Thanks for this suggestion. I've added this (from a forum post): > | limits dn.regex="cn=syncrepl-ldap1,dc=example,dc=com" > | time.soft=unlimited time.hard=unlimited size.soft=unlimited > | size.hard=unlimited > > After restarting the provider, the consumer is still not replicating the > missing portions of the directory. Do you have any other suggestions? Aside from carefully reading the syncrepl documentation in the Admin Guide: > And on the consumer (ldap1): > | # Sync Replication > | syncrepl rid=001 > | provider=ldaps://ldap-master.example.com/ > | type=refreshAndPersist > | interval=00:01:00:00 > | searchbase="dc=example,dc=com" > | scope=sub > | schemachecking=off > | bindmethod=simple > | binddn="cn=syncrepl-ldap1,dc=example,dc=com" > | credentials=supersecret You probably need a retry specification here. Otherwise the consumer will quit once it encounters an error. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: syncrepl only works as rootdn
by Howard Chu 01 Feb '07

01 Feb '07

Christopher Cowart wrote: > On Thu, Feb 01, 2007 at 08:25:52PM -0800, Howard Chu wrote: >> Redirected from -bugs; there is no evidence of a bug here. > Perhaps the -software list charter should include mention of support > issues or questions? As it was, -bugs seemed most appropriate. The -bugs list is for discussion of actual bug reports. Bug reports are submitted using the ITS. Usage questions belong on the -software list. As its charter says: "technical issues specific to OpenLDAP Software." >> More information is needed. There's no indication that ACLs are any problem >> here. Of course, you've listed your rootdn in your ACLs, which is useless. > > Could you suggest what other information might be helpful? I thought the > fact that syncrepl works when binding as the rootdn but not the syncrepl > user indicated ACLs. What makes you think otherwise? Aside from the extraneous rootdn rules, there was no problem with your ACLs. You should have provided the complete database configuration on the provider, for starters. At this point that's probably not necessary since you obviously didn't have the correct limits in place. These requirements are documented in section 15.3.2 of the Admin Guide. http://www.openldap.org/doc/admin23/syncrepl.html >> One possible explanation is that you didn't raise the sizelimits for the >> syncrepl users, so they weren't able to get a full refresh. > > Thanks for this suggestion. I've added this (from a forum post): > | limits dn.regex="cn=syncrepl-ldap1,dc=example,dc=com" > | time.soft=unlimited time.hard=unlimited size.soft=unlimited > | size.hard=unlimited > > After restarting the provider, the consumer is still not replicating the > missing portions of the directory. Do you have any other suggestions? You'll probably need to reset the sync cookie on the consumers. See section 15.3.3 of the Admin Guide, and/or the slapd(8) manpage. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Bind using credentials from another directory server
by François Beretti 01 Feb '07

01 Feb '07

Hello all ! Does OpenLDAP provide a way to authenticate on it using a DN / pwd of another LDAP server ? I have read the manual page about the LDAP and META backends, but I did not find if it match my will. At the end I would like to authenticate on OpenLDAP with a DN/pwd of another directory (or maybe SASL credentials ?), and access (probably only through OpenLDAP) to the data of both OpenLDAP and the other directory server. I can customize the OpenLDAP server (in fact: our server), and not the other server (the customer server). Thank you François

6 11

Could not locate TLS/SSL package on openldap install
by Andrew Higginbotham 01 Feb '07

01 Feb '07

Hi, I'm installing openldap with tls against a custom openssl install that is located in /usr/local/ssl . To compile I run # export LDFLAGS="-L/usr/local/ssl/lib" # export CPPFLAGS="-I/usr/local/ssl/include/openssl" Then we have # env | grep FLAG LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include/openssl So that all looks normal. But when I run 'configure' with # ./configure --prefix=/usr/local/openldap --libexecdir=/usr/local/libexec --enable-slurpd --with-tls --enable-slapd the last few lines I see are checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_library_init in -lssl... no checking for ssl3_accept in -lssl... no checking OpenSSL library version (CRL checking capability)... no configure: error: Could not locate TLS/SSL package So it looks like it can see the header files alright at least. I have attached my config.log file to this mail, in case that might help. Thanks, Andrew

2 1

Slapd issue
by Philip Bellino 01 Feb '07

01 Feb '07

Hello, I am running slapd(openldap-2.3.32) on a linux host. I am also running openldap-2-32-3 on a linux client. If I use the "allow_bind_v2" switch in the slapd.conf file, I can do anonymous simple binds from the client to the server over TCP with no problems. I can also do simple login/password authentication with no problems. I now an trying to use v3 secure connections. When I attempt to authenticate, I get the following errors from the slapd logs (in bold): TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read active on 14 connection_get(14) connection_get(14): got connid=0 connection_read(14): checking for input on id=0 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057 connection_read(14): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=14 for close connection_close: conn=0 sd=14 daemon: removing 14 conn=0 fd=14 closed (TLS negotiation failure) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL My slapd.conf file is: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem TLSVerifyClient never ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=mrv,dc=com" rootdn "cn=Manager,dc=mrv,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub It loks to me as is slapd is trying to read the client certificate even though my slapd.conf file entry "TLSVerifyClient never" is set. I am new to this all, so I do not know if I am interpreting this correctly or not. Any help would be most appreciated. Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino(a)mrv.com ============================

2 1

ldapsearch for digest-md5
by Radhakrishnan Balasubramanian 01 Feb '07

01 Feb '07

Hi All, I have Openldap Server -2.2.13 with Cyrus SASL configured. I am trying to do ldapsearch for digest-md5 .I am getting the following error : ldapsearch -Y digest-md5 -D "uid=pokemon,ou=People,dc=cisco,dc=com" -w pokemon123 SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated But ldapsearch with -U option is successful. Please let me know what need to be done on my LDAP server for making ldapsearch sucessful without using -U (SASL authentication identiy) and using only -D option . Thanks, RK ____________________________________________________________________________________ Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather

4 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2007