openldap-software February 2007

openldap-software@openldap.org

94 participants
112 discussions

Start a nNew thread

Beginners question
by Jan Mostert 01 Mar '07

01 Mar '07

5 4

RE: LDAP/BDB log purging
by Lesley Walker 28 Feb '07

28 Feb '07

Buchan Milne [mailto:bgmilne@obsidian.co.za] > > > > Well, I just ran db_archive and caused widespread chaos > because most (all?) > > of the replicas stopped responding to queries. (I have yet > to perform a > > post-mortem) > > You ran db_archive for the first time, on *all* replicas at > the same time???? Yes. We administer 80+ servers that are more or less identically configured, and typically perform small admin tasks in "for" loop, which is what I did in this case. > > I know that there's a bug in bdb 4.2 that causes logs to be > held open even > > though they're no longer required. Upgrading bdb is not on > the cards right > > now so I need to work around that problem by stopping and starting > > openldap. > > This may or may not be the cause of your problems. > Additionally, this is > affected by your database configuration and checkpointing settings. Copied below... > > So the question I have just at the moment is, when I run > db_archive, should > > openldap be running or not running? > > It should be safe, depending on your configuration, to run > db_archive. > However, due to the tasks it does (just deleting all the > unused log files > would have a similar effect), it can be quite IO intensive, > and you may incur > IO starvation when doing it, impacting performance of any > other application > using files on the same block devices (e.g. slapd). As an additional piece of background, we are currently running all the replication out of an intermediate server (it's a transistional setup). As far as I can tell, it all hit the fan when the db_archive ran on that intermediate server. Obviously I should have left that one out of the list but I didn't think of it at the time. These are all the non-comment entries in DB_CONFIG: set_cachesize 0 268435456 1 set_data_dir db set_lg_regionmax 262144 set_lg_bsize 2097152 set_lg_dir logs set_tmp_dir /tmp Database definition entries in slapd.conf: database bdb suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw secret directory /var/local/openldap-2.3.32/openldap-data mode 0600 sizelimit 12000 Replication entries on most servers: syncrepl rid=123 provider=ldap://server.example.com type=refreshAndPersist searchbase="dc=example,dc=com" scope=sub schemachecking=off bindmethod=simple binddn="cn=root,dc=example,dc=com" credentials=secret retry=5,5,30,5,60,5,300,+ And replication entries on the intermediate host: syncrepl rid=123 provider=ldap://master.example.com type=refreshAndPersist interval=00:00:01:00 searchbase="dc=example,dc=com" scope=sub schemachecking=off bindmethod=simple binddn="cn=root,dc=example,dc=com" credentials=secret retry=5,5,30,5,60,5,300,+ overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 100 -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

2 2

Attribute value rewriting
by Quanah Gibson-Mount 28 Feb '07

28 Feb '07

So I have an interesting issue, and I'm wondering if there's an easy solution (although I'm guessing it would take slapo-rwm reworking). Basically, email id's can come in the form of quanah(a)stanford.edu, q.u.a.n.a.h(a)stanford.edu q-u.a-n-a.h(a)stanford.edu qua.na-h(a)stanford.edu (basically, any combination of periods and hyphens). My own data is: lsearch uid=quanah suseassunetid dn: uid=quanah,cn=accounts,dc=stanford,dc=edu suSeasSunetID: qgibsonmount suSeasSunetID: quanah suSeasSunetID: quanahgibsonmount which means that any form of quanah(a)stanford.edu, qgibsonmount(a)stanford.edu, and quanahgibsonmount(a)stanford.edu are deliverable. In our directory, we store what we consider the normalized form (all periods and hyphens stripped out). What I'd like is a way to make sure that any incoming filter request for the attribute (suseassunetid) strips the value(s) of periods and hyphens before the query is evaluated. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 1

reg OIDs..plzzz help!!!
by shilpa muramkar 28 Feb '07

28 Feb '07

As it goes...to import my data into OpenLdap server, i need to create a schema file of my own, add the required attributes and ObjectClasses into it... include the schema file into the "slapd.conf" and then create my ldif file and run it. ...as i have seen in other schema files of OpenLdap, every Attribute and ObjectClass have OIDs. We, in our schema file for our previous Directory Server,have just created the OIDs as "attributename-oid" or "ObjectClassname-oid" and i am using the same here. Hence as a result of which, my schema file,though included in " slapd.conf",isnt being referred by the server (thats what i think, correct me if i am wrong!!). So can i conclude that all this chaos is caused due to the lack of OIDs?? And as a final step i have put a request to "IANA" for a private OID, after getting which i would create a new schema file and proceed. LET ME KNOW IF WHAT I HAVE ASSUMED AND DONE IS RIGHT......if not......Kindly help me out for doing the same!!!!!!!!!! Thanks Shilpa

2 1

Re: reg OpenLdap installation
by shilpa muramkar 28 Feb '07

28 Feb '07

The actual error message i am getting is "objectclass invalid synatx". The reason i thought my schema file isnt being referred is, server is not recognizing the objectclasses that i have in that schema file( that shows server hasnt seen my schema file). So for that what exactly i have done is, i have selected few of the object classes from my schema file and tried inserting them in openldap's schema file(misc.schema). When i did that...one of the object class got recognized. Hence i went on trying to insert few more of my object classes in that schema file but the same thing dint happen. Thats is, when i try to start the service it dosnt start. Just to sum up..... When i simply include my schema file in the slapd.conf, and try to run my ldif files..technically speaking it should work right....or anything more should be done?? Just let me know...... Thanks On 2/28/07, Buchan Milne <bgmilne(a)obsidian.co.za> wrote: > > On Tuesday 27 February 2007, shilpa muramkar wrote: > > I have installed openldap on my machine. In the slapd.conf file i have > > included all the schema files. I need to import our directory server > data > > into OpenLdap now. Hence i have done the below things.... > > 1) Created a schema file containing our data and included it in the > > slapd.conf. > > 2) Created an ldif file, and tried importing our data using "ldapmodify" > > command. > > > > I am facing few problems. > > > > Looks like my schema file isnt being referred by openldap as....even > when i > > comment my schema file and run, the service is starting. > > Removing a schema file, and having the service start is no indication that > the > schema file was not in use before. > > Rather, do a search on the schema available on your LDAP server, to see > what > schemas it *has* loaded when you have configured it to load this schema. > Alternatively, use a schema-aware GUI tool (such as luma). > > > That shows my > > schema file isnt creating any impact there. > > What impact were you expecting? How did you check for this impact? > > (and no, failure to start is not a reasonable impact for removing an > arbitrary > schema file from the configuration file) > > > > > What i did is,,,,,i took some of our required ObjectClasses and included > > them in the "misc.schema" file of OpenLdap just for a trial. Few of them > > worked properly and my data from ldif got added into the server. > > I still have few attributes and ObjectClasses which i am neither able to > > add into any of OpenLdap's schema files nor create a new schema file and > > add( as OpenLdap isnt referring to it). > > Please, post some real error messages, as your interpretation of the > effects > doesn't seem to add up. > > > Can someone guide me as to how to easily get my schema and data added to > > the server. > > The OpenLDAP Admin guide covers this in sufficient detail IMHO. If you > don't > succeed, you should provide sufficient details of what you have done, and > error messages and relevant log file extracts which detail the errors you > are > seeing. > > > If i have to create a schema file of my own.....in that case..how do i > make > > the server refer to that as well........... > > You just add an include statement for your schema file in slapd.conf, as > covered in the documentation ... >

1 0

Re: replication problem: "shadow context; no update referral"
by Emmanuel Dreyfus 28 Feb '07

28 Feb '07

On Wed, Feb 28, 2007 at 11:18:26AM +0200, Buchan Milne wrote: > Well, a lot of the aspects of setting this up are not unique to slurpd, but > are covered in documentation relating to user authentication with > certificates. The errors you posted don't seem to have anything to do with > the certificate authentication itself, but seem to be the generic issue of > your slurpd not authenticating to the slave as the updatedn. Here is what I understood: my slurpd's certificate DN contains non ASCII characters, and for that reason, I have been unable to get the slave slapd matching the updatedn. The solution I finally found was to use authz-regex to rewrite slurpd's DN into something that will match. > (...) waste time on a "HOWTO". Well, as an OpenLDAP user, I know that once you've readen the manual and the FAQ and it's still not working, return of experience from other users gathered with google is valuable. That's why I tend to post how I managed to get the thing working. It will help people looking for the same problem I had, and comments from contributors may help transforming that into some better documentation. -- Emmanuel Dreyfus manu(a)netbsd.org

1 0

replication problem: "shadow context; no update referral"
by Emmanuel Dreyfus 27 Feb '07

27 Feb '07

Hello I try to use replication with slurpd, using TLS to secure access to the replicas. 1) On the master, slapd.conf contains this: database bdb suffix "dc=example,dc=net" directory /var/openldap/openldap-data replogfile /var/log/ldap/ldap.replog replica uri=ldaps://ldap1.example.net bindmethod=sasl saslmech=EXTERNAL I have a slurpd pseudo-user, with a .ldaprc file: SASL_MECH EXTERNAL TLS_CACERT /etc/openssl/certs/ca.crt TLS_KEY /usr/pkg/etc/openldap/slurpd/etc/openssl/slurpd.key TLS_CERT /usr/pkg/etc/openldap/slurpd/etc/openssl/slurpd.crt 2) On the slave, slapd.conf contains: suffix "dc=example,dc=net" directory /var/openldap/openldap-data updatedn "email=...,cn=slurpd,ou=....,o=...,st=...,c=..." updateref ldap://ldap0.example.net access to * by dn.exact="email=...,cn=slurpd,ou=....,o=...,st=...,c=..." by * none updatedn is the information I have in slurpd's certificate. When I update the master, slrupd sees the modification and attempt to propagate it to the salve, but it fails: Error: ldap_modify_s failed modifying DN "cn=foo,dc=example,dc=net": shadow context; no update referral On the slave, the error is: conn=19 op=7 RESULT tag=103 err=10 text= I found in <ldap.h> that this err=1à is #define LDAP_REFERRAL 0x0a /* LDAPv3 */ But it does not helps me fixing the problem. What is wrong? -- Emmanuel Dreyfus manu(a)netbsd.org

3 3

Securing against writes on slave slapd
by Cian Davis 27 Feb '07

27 Feb '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, Apologies if this has been posted before - I had a search through the archives but couldn't find anything. We have a master slapd and slurpd feeding to a slave LDAP server - all user info, including auth, comes from LDAP. The LDAP master machine has /home and the slave runs the mail server. I had thought that I saw something in the OpenLDAP manual that you could force any attempted changes on the slave server to be redirected to the master (and then obviously, the changes would get to the slave via a push from slurpd). But after numerous searches, I can't find it. Was I imagining things or is there such a directive? Now this may sound stupid, but if you put the slave slapd into readonly mode, can it accept updates from slurpd on the master? It would reduce the chances of writes being made to the slapd on the slave and causing synchronisation headaches. Regards, Cian Davis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5IQO2yUma7R/3b8RAoP+AJ957698itvq1ftWXl9qfItnvDk+dwCeLSYM JaiuX7U9+Svz2bfk7s8yGG4= =RoOK -----END PGP SIGNATURE-----

2 1

dynamic config support for unique overlay
by Francis Swasey 27 Feb '07

27 Feb '07

I see that with the 2.3.34 release that the auditlog overlay now has dynamic config support added. The one overlay left that I use which prevents me from using cn=config is the unique overlay. Is anyone working on adding dynamic config support to the unique overlay? If not, are there directions someplace on what is required to add dynamic config support to an overlay? (I did search the developers list archives and came up empty) Thanks, -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)

4 5

adding remote attribute to entry
by Hans Moser 27 Feb '07

27 Feb '07

Hi! There a two directories: 1. o=inside 2. o=outside Inside there the local entries, i.e. for persons dn: employeenumber=1,ou=people,o=inside mail: user@inside ... Outside is the CA's directory. The user's certificate is there under a DN with the mail address in it. dn: mail=user@inside,ou=foo,o=outside usercertificate:: xxxxxxxxx ... Now CA's usercertificate must appear in the user's entry: dn: employeenumber=1,ou=people,o=inside mail: user@inside usercertificate:: xxxxxxxxx ... But: Outside directories can only be reached by an ldap proxy. So there is a third server working as a proxy with ldap-meta backend. By now a can manually search for certificates, which are 'suffixmassage'd into ou=ca,o=outside. dn: mail=user@inside,ou=ca,o=inside mail: user@inside usercertificate:: xxxxxxxxx ... As far as I understand, slapo-translucent could add the usercertificate attribute to user's entry. But how to tell slapo-translucent to search by attribute mail to find the corresponding entry in (ou=ca,o=inside or) o=outside? Can / must this be done with slapo-rwm? I can guess the outside DN from the user's mail attribute. (But not vice versa; I can only search for the inside entry by attribute mail.) So I know what entry I want / what to search for. But does this help me? [uri filter?] client: search for certificate of employee #1 | | --search--> inside: outside: dn: employeenumber=1,ou=people,o=inside mail: user@inside --search--> mail: user@inside ... <--return-- usercertificate:: xxxxxxxxx | | --return--> dn: employeenumber=1,ou=people,o=inside mail: user@inside usercertificate:: xxxxxxxxx ... Hans

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2007