April 2007 - openldap-software

segmentation fault using the refint overlay

by Cyril Grosjean

I have OpenLDAP 2.3-2.3.30 running over Debian Linux with a 2.6.18-4-686 kernel. When enabling the referential integrity overlay (refint), I then get a "segmentation fault" error message when initializing my test-bed database (about 300 entries), at the very end of the slapadd command. Then, I can start the slapd daemon, but it crashes if I search an entry related to the refint overlay. I also use the dynlist overlay which works fine, and I've tried to declare the refint overlay before or after dynlist, but it doesn't change anything. As soon as I comment out the refint overlay related configuration directives, I don't have any problem. Extract from my slapd.conf file: modulepath /usr/lib/ldap moduleload back_bdb moduleload dynlist moduleload refint sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb overlay dynlist dynlist-attrset groupOfURLs memberURL member overlay refint refint_attributes memberof uniquemember I've also try to have the refint only monitor either memberof or uniquemember, but it doesn't change anything. Also, adding the optional refint_nothing directive didn't help . Below, the debug trace when running slapadd : <= key_change 0 => key_change(ADD,142) <= key_change 0 => key_change(ADD,142) <= key_change 0 => key_change(ADD,142) <= key_change 0 <= index_entry_add( 322, "uid=testuser,ou=people,dc=intra,dc=XXXX,dc=YY" ) success => entry_encode(0x00000142): uid=testuser,ou=people,dc=intra,dc=XXXX,dc=YY slapadd shutdown: initiated Segmentation fault

16 years, 1 month

1
0
0 / 0

Call for Papers

by Dieter Kluenter

Hello, there will be the 1rst International Conference on LDAPv3 at Cologne (Germany), from September 6.th to September 7th 2007. http://www.guug.de/veranstaltungen/ldapcon2007/ The Conference is looking now for competent speakers. If you are interested, feel free to submit an abstract. http://www.guug.de/veranstaltungen/ldapcon2007/cfp.html If you do have questions mailto <ldapcon2007(a)guug.de> -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

16 years, 1 month

1
0
0 / 0

Re: cn=config howto?

by Wai Phang

Hi Deiter, Thank you for your reply. I have managed to get things going with the steps you have provided by I am unable to bind as cn=config. How do I set the password for cn=config? I tried rootPW but doesn't seem to work. TIA >Hi, >"Wai Phang" <sephiroth.rias(a)gmail.com> writes: >> Hi there, There is this impressive section on the documentation which >> explains clearly on the config LDIF structure. However, i cannot find >> any documentation on how to go about using it. From a fresh install, >> how do I go about setting up the configuration using cn=config? How >> do I add new database into cn=config? How do I modify the attributes >> in cn=config? This is a very good feature but where are the >> documentation? Can someone pls shed some light. Thank You. >There is not much documentation yet, except for slapd.conf(5). To set >up cn=config from a fresh installation, depending on your Version, >1. add a database config, with rootdn cn=config and rootpw as first > instance to slapd.conf >2. create a directory etc/openldap/slapd.d/ >3. run ./slapd -h "ldap:///" <ldap:///%22>; -F /etc/openldap/slapd.d/ -f > /etc/openldap/slapd.conf >To add settings or change values, point your preferred ldap editor to >suffix cn=config and bind as cn=config >-Dieter -- Est Solaris Oth Mithas

16 years, 1 month

2
1
0 / 0

TLS/SSL problem - unsupported certificate purpose

by Jean-Claude

Hello, I found a very similar and recent post on the Mailing List but no solution. May be I missed something. I migrated my openLdap server from Debian Sarge (slapd 2.2.23-8) to Debian Etch (slapd 2.3.30-5) On Sarge all was working fine (LDAP server with and withouth SSL) but now SSL acces is unusable. Using clear access (port 389) LDAP server works fine. With SSL, I check all my certificates (Root CA and LDAP certificate) and renew all of them, successless. Always the same error message. Althought all seems OK about certificates. # openssl x509 -in LDAPserver-cert.pem -text -noout ======================== Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=MYDOMAIN, CN=mydomain.net Root CA/emailAddress=user(a)mydomain.net Validity Not Before: Apr 19 21:47:31 2007 GMT Not After : Apr 18 21:47:31 2008 GMT Subject: C=FR, ST=France, L=Nice, O=MYDOMAIN, CN=fully_qualified_name_machine.mydomain.net/emailAddress=user@mydomain.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c2:20:97:ed:17:fa:d5:87:bd:c8:1e:36:4c:e5: 3e:30:25:2b:e1:35:71:89:9f:68:55:38:41:e2:00: ......... 75:5b:c4:bd:62:dc:43:df:b2:9c:9f:c9:e5:bd:fb: 9e:bb:fc:51:ba:60:3e:53:6c:e9:b3:85:56:9a:7e: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CE:19:D6:9C:.............................. X509v3 Authority Key Identifier: keyid:4D:58:60:.............................. Signature Algorithm: sha1WithRSAEncryption 48:f0:90:2f:93:cb:ae:93:3f:ac:c9:d8:7e:2f:95:1f:9b:86: ca:aa:34:a7:f0:63:e4:aa:1d:47:8d:ad:6f:ed:e1:d6:58:7d: .................................................... 30:b5:37:21:c5:3e:1a:f3:f6:29:1a:17:6d:c6:fb:06:d2:44: 20:24:b4:9e ============================= # ldapsearch -d1 -x -H ldaps://localhost:636/ gives me the following answer : ================================== ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 26, subject: /C=FR/ST=France/L=Nice/O=MYDOMAIN/CN=fully_qualified_name_machine.mydomain.net /emailAddress=user(a)mydomain.net, issuer: /C=FR/ST=France/O=MYDOMAIN/CN=my domain.net RootCA/emailAddress=user(a)mydomain.net TLS certificate verification: Error, unsupported certificate purpose TLS trace: SSL3 alert write:fatal:unsupported certificate TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ============================================ I'm just wondering what's wrong. I've been searching for few days. Is something wrong with ldap server 2.3.30 ? Did I miss some evidence ? If someone can give me any lights because I feel alone without any solutions. -- Regards. Jean-Claude

16 years, 1 month

3
3
0 / 0

Pcache overlay bug or undocumented "feature"?

by Daniel Montero Motilla

Hi, I'm obtaining a strange (almost for me) behaviour with pcache overlay (openldap 2.3.27), I have a configuration similar to this one: proxyattrset 0 uid cn sn mail description proxyattrset 1 cn description proxytemplate (&(objectClass=)(uid=)) 0 3600 proxytemplate (&(objectClass=)(cn=)) 1 3600 With this configuration, I perform this search: (&(objectClass=groupOfNames)(cn=mygroup)) cn description but I obtain "NOT ANSWERABLE" and "NOT CACHEABLE". Digging on pcache.c, I see that the problem is that 'get_attr_set' function doesn't look for a proxyattrset that _exactly_ matches with my search attribute set, it instead looks for a proxyattrset that is a _superset_ of the search attribute set. On my example, my search attribute set (cn, description) is a subset of proxyattrset '0', so 'get_attr_set' returns '0'. Then, the application looks for a proxytemplate whose proxyattrset equals the one obtained with 'get_attr_set' (0), so it obtains the template '(&(objectClass=)(uid=))' and compares it with my search template '(&(objectClass=)(cn=))', so I get 'NOT CACHEABLE'. As a workaround I have inverted the proxyattrset index numbers so 'get_attr_set' finds first the most specific proxyattrset, but i'm curious about if this behaviour is the intended one or if I should fill an ITS with a patch (the change in code would be minimal), what do you think? Thanks, Dani

16 years, 1 month

2
1
0 / 0

Best practise for syncrepl security & latency?

by Kari Mattsson

Hola! I have this situation at hand, and would like to solve it proper way. It appears finding this kind of information on OpenLDAP is hard to come by. Host1 holds master OpenLDAP DIT. Host2 holds full syncrepl replicated read-only copy of the same DIT. Replication latency should be minimised. 30 seconds is ok, tough. Host1's slapd.conf contains lines like: overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100 Host2's slapd.conf contains line: syncrepl rid=10 provider=ldap://HOST1:389 starttls=critical type refreshAndPersist interval=00:00:00:29 binddn="cn=replicator,dc=BASENAME" credentials="secret_password" bindmethod=simple searchbase="dc=BASENAME" It seems to work ok, but I don't like the idea of having plain text password on the Host2's slapd.conf. Any comments on the Host1's values would be valuable. Same goes for Host2's values. Is SASL the only sensible way to go here, security-wise? //Kari

16 years, 1 month

6
7
0 / 0

PPolicy

by Greg Ryan

Has anyone ever gotten ppolicy to work? I have been trying for weeks and just cant get it to work at all. Does anyone have any config examples from a working ppolicy config?

16 years, 1 month

3
2
0 / 0

Subordinate Knowledge Information

by Raffaele Viola

Hi all, I have two LDAP server 151.98.181.93 and .64. I inserted in the ldap.conf of the .93 server the following lines: dn: dc=RAFFO,dc=IT objectClass: referral objectClass: extensibleObject ref: ldap://151.98.181.64/dc=RAFFO,dc=IT because I want to subordinate the request dc=RAFFO,dc=IT to the .64 server where I've already created a database ... database bdb suffix "dc=RAFFO,dc=IT" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=RAFFO,dc=IT" rootpw secret directory /var/lib/ldap index objectClass eq but if I try to connect to the .93 server using an ldap browser I get this error 02:26:57 PM: Failed to connect to ldap://151.98.181.93:389 Root error: [LDAP: error code 49 - Invalid Credentials] Please help me, Thanks Raffo

16 years, 1 month

2
1
0 / 0

Ldap 2 ldap

by Raffaele Viola

Hi, how can I configure a LDAP server to ask informations to another LDAP? Thanks Raffo

16 years, 1 month

3
2
0 / 0

cn=config howto?

by Wai Phang

Hi there, There is this impressive section on the documentation which explains clearly on the config LDIF structure. However, i cannot find any documentation on how to go about using it. >From a fresh install, how do I go about setting up the configuration using cn=config? How do I add new database into cn=config? How do I modify the attributes in cn=config? This is a very good feature but where are the documentation? Can someone pls shed some light. Thank You. -- Est Solaris Oth Mithas

16 years, 1 month

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007