openldap-software April 2007

openldap-software@openldap.org

90 participants
96 discussions

no TLS connections
by Fabrice Eudes 18 Apr '07

18 Apr '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everybody, I am quite new to ldap and i am testing locally before setting up a new server. Unencrypted connections are all right but i have no success with TLS connections. My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd). If needed, i can give more details, but basically i followed these steps: 1) a. set up a local certification authority (CA) b. created a certificate for the ldap server, signed by my CA; I took care that the Common Name is the server FQDN. 2) a. In /etc/default/slapd, i wrote SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/ ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my laptop FQDN) b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote: TLSCACertificateFile /etc/ldap/certificates/cacert.pem TLSCertificateFile /etc/ldap/certificates/servercert.pem TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem TLSVerifyClient never c. In /etc/ldap/ldap.conf, i wrote: TLS_CACERT /etc/ldap/certificates/cacert.pem TLS_REQCERT never I have read in openldap admin guide that the TLS_REQCERT default value is "demand" but it isn't compulsory is it ? the request « ldapsearch -H ldap://arwen.grenier.ambre -x -D "cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ » seems all right as it returns all the directory entries but in syslog (i put «loglevel 15» in slapd.conf) i have the following (i added some comments to easily spot the possible errors): Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: >>> slap_listener(ldap://arwen.grenier.ambre:389/) Apr 18 23:15:25 localhost slapd[6727]: daemon: listen=6, new connection on 11 Apr 18 23:15:25 localhost slapd[6727]: daemon: added 11r (active) listener=(nil) Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_extended Apr 18 23:15:25 localhost slapd[6727]: do_extended: oid=1.3.6.1.4.1.1466.20037 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_extended: err=0 oid= len=0 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=1 tag=120 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): unable to get TLS client DN, error=49 id=8 ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_bind Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal: <cn=root,dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal: <cn=root,dc=irem,dc=univ-lille1,dc=fr>, <cn=root,dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: do_bind: version=3 dn="cn=root,dc=irem,dc=univ-lille1,dc=fr" method=128 Apr 18 23:15:25 localhost slapd[6727]: ==> bdb_bind: dn: cn=root,dc=irem,dc=univ-lille1,dc=fr Apr 18 23:15:25 localhost slapd[6727]: do_bind: v3 bind: "cn=root,dc=irem,dc=univ-lille1,dc=fr" to "cn=root,dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=1 p=3 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0 matched="" text="" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=2 tag=97 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_search Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal: <dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal: <dc=irem,dc=univ-lille1,dc=fr>, <dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: SRCH "dc=irem,dc=univ-lille1,dc=fr" 2 0 Apr 18 23:15:25 localhost slapd[6727]: 0 0 0 Apr 18 23:15:25 localhost slapd[6727]: filter: (objectClass=*) Apr 18 23:15:25 localhost slapd[6727]: attrs: Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: => bdb_search Apr 18 23:15:25 localhost slapd[6727]: bdb_dn2entry("dc=irem,dc=univ-lille1,dc=fr") Apr 18 23:15:25 localhost slapd[6727]: search_candidates: base="dc=irem,dc=univ-lille1,dc=fr" (0x00000056) scope=2 Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2idl("dc=irem,dc=univ-lille1,dc=fr") Apr 18 23:15:25 localhost slapd[6727]: => bdb_presence_candidates (objectClass) Apr 18 23:15:25 localhost slapd[6727]: bdb_search_candidates: id=-1 first=1 last=171 Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "dc=nodomain" Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(dc=nodomain) Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("") Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "cn=admin,dc=nodomain" Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(cn=admin,dc=nodomain) Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("domain") Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8 dn="dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit. [ ... more search results ... ] Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8 dn="uid=arlette.lengaigne,ou=personnes,dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit. Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=2 p=3 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0 matched="" text="" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=3 tag=101 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=0 (Success) Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): input error=-2 id=8, closing. Apr 18 23:15:25 localhost slapd[6727]: connection_closing: readying conn=8 sd=11 for close Apr 18 23:15:25 localhost slapd[6727]: connection_close: deferring conn=8 sd=-1 Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_unbind Apr 18 23:15:25 localhost slapd[6727]: connection_resched: attempting closing conn=8 sd=11 Apr 18 23:15:25 localhost slapd[6727]: connection_close: conn=8 sd=-1 Apr 18 23:15:25 localhost slapd[6727]: daemon: removing 11 I am quite sure that my setup is not totally correct as, for instance, i successfully connect to the directory from phpLDAPadmin web interface without TLS, but can't connect with TLS (or ldaps). And another question :-) What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite in slapd.conf ? Do they have to be set to some value ? When i read the admin guide, i don't understand if there is a default value or not, and there is nothing concerning these directives in the Faq-O-Matic TLS entry. thanks for your help. - -- Fabrice Eudes -o) Clé PGP 88AC3A66 /\\ Utilisateur Linux n°245401 _\_V -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJo2RC7KnmYisOmYRAlqUAJ9hyv9dwGIVLOXyN7Cvjy7MRKCyfQCg1ZSL Gti/xrhf/V1yCuQnZOELHRI= =qTSn -----END PGP SIGNATURE-----

2 2

Building OpenLDAP 3.3.35 with Kerberos on SLES9
by Andrew Scott 18 Apr '07

18 Apr '07

Hello all, I've been pulling hair out in tufts over the last week trying to get OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines (AMD64). I've spent hours searching the mailing lists and Google. All I could find were messages from several years ago admonishing people for not searching, or questions with no answers. Anyway, I finally got it, which leads to my question below. First, this machine is SLES9, Service Pack Three. SuSE provides the Heimdal Kerberos implementation. It also has Cyrus SASL. For some strange reason, the OpenLDAP packages SuSE supplies for SLES9 do not have Kerberos compiled in, so I went and grabbed the openldap-2.3.35 tarball and set about trying to build it. The biggest problem is the configure script completely ignores the -with-kerberos option. Completely. I've searched, and I can't find any mention of why this is. Starting at line 18,158 in the configure script, I found this block: ---- ol_link_kbind=no ol_link_krb5=no ol_link_krb4=no case $ol_with_kerberos in yes | auto | k5 | k5only | k425) ---- Changing "ol_link_krb5" to "yes" had no effect. But changing "ol_link_krb5" to "yes" AND adding the line "ol_with_kerberos=yes" right above the case statement got the configure script to actually start looking for Kerberos libraries and headers. After that, it was just a matter of setting the right CCFLAGS and LDFLAGS environment variables so configure could find the headers and libraries. Once all that was in place, it built like a champ and seems to be working. So my question is, why does "-with-kerberos" not work anymore? Is this a conscious decision, or a bug? Thanks! Andrew Scott Louisville, KY

3 4

FW: Sync repl
by Irfaz 17 Apr '07

17 Apr '07

The error I was getting in the below mentioned case while running the following comment on the slave was : ldapsearch -x -D dc=my-domain,dc=com -w secret -H ldap://masterip -b dc=my-domain,dc=com -s base contextCSN SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) Please provide me your valuable inputs to proceed further... Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! _____ From: Irfaz [mailto:irfazs@huawei.com] Sent: Tuesday, April 17, 2007 15:39 To: 'openldap-software(a)openldap.org' Subject: Sync repl using syncrepl to replicate will they the slave server automatically takes the contenst from server or some commands has to be executed.???? I am not able to get the replication master : slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 database monitor loglevel 55 master : example.ldif dn: dc=my-domain,dc=com dc: my-domain objectClass: organization objectClass: domainRelatedObject objectClass: dcObject o: my-domain, Inc. description: location 1 associatedDomain: my-domain.com dn: cn=Manager,dc=my-domain,dc=com cn: Manager objectClass: organizationalRole dn: ou=user,dc=my-domain,dc=com ou: user description: location 1 objectClass: organizationalUnit dn: cn=u1,ou=user,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: uidObject objectClass: organizationalPerson objectClass: top givenName: irfaz uid: 1 mail: 1(a)gmail.com sn: SURNAMEu1 cn: u1 dn: cn=u2,ou=user,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: uidObject objectClass: organizationalPerson objectClass: top givenName: sharfaz uid: 2 mail: 2(a)gmail.com sn: SURNAMEu2 cn: u2 /* Provider slapd.conf */ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub syncrepl rid=125 provider=ldap://localhost:9011 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=my-domain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=my-domain,dc=com" credentials=secret Advance thanks for any comments given!!!!!!!!!!!!!! Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

1 0

Consumer server : syncrepl
by Irfaz 17 Apr '07

17 Apr '07

Hi.. If syncrepl works fine and master contents are replicated to a slave server...can the slave server add a new entry of its own and then notify the change to master(provider)????...... Can slave server has its own clients to access the slave server for information directly????/ Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

1 0

Sync repl
by Irfaz 17 Apr '07

17 Apr '07

using syncrepl to replicate will they the slave server automatically takes the contenst from server or some commands has to be executed.???? I am not able to get the replication master : slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 database monitor loglevel 55 master : example.ldif dn: dc=my-domain,dc=com dc: my-domain objectClass: organization objectClass: domainRelatedObject objectClass: dcObject o: my-domain, Inc. description: location 1 associatedDomain: my-domain.com dn: cn=Manager,dc=my-domain,dc=com cn: Manager objectClass: organizationalRole dn: ou=user,dc=my-domain,dc=com ou: user description: location 1 objectClass: organizationalUnit dn: cn=u1,ou=user,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: uidObject objectClass: organizationalPerson objectClass: top givenName: irfaz uid: 1 mail: 1(a)gmail.com sn: SURNAMEu1 cn: u1 dn: cn=u2,ou=user,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: uidObject objectClass: organizationalPerson objectClass: top givenName: sharfaz uid: 2 mail: 2(a)gmail.com sn: SURNAMEu2 cn: u2 /* Provider slapd.conf */ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub syncrepl rid=125 provider=ldap://localhost:9011 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=my-domain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=my-domain,dc=com" credentials=secret Advance thanks for any comments given!!!!!!!!!!!!!! Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

1 0

SyncRepl on Request?
by hadmut＠danisch.de 16 Apr '07

16 Apr '07

Hi, I'd like to use SyncReplication on some Notebooks with local ldap servers to be updated whenever they connect to the Home LAN. Unfortunately, the syncrepl directive uses a fixed time interval. I would need a way to run the replication on request and only on request, i.e. - run when the notebook is connected to the home lan, whatever time - do not run when the notebook is not connected to the home lan The best way would be to run replication only when triggered through an external command. Any way to achieve that? regards Hadmut

5 4

RE: syncrepl and openLDAP sync feature
by Mark Mcdonald 16 Apr '07

16 Apr '07

Joachim Hergeth (GTS) <mailto:jhergeth@freenet.de> wrote on Monday, April 16, 2007 10:58 PM: > To my knowledge and experience it is not possible to change data in an > LDAP-consumer. You have to change the data in the producer and it then > gets forwarded to the consumer by the syncrepl process. > I observed this in my OpenLDAP installation. > > Please correct me if I am wrong or if specific options have to be used to > enable it. This is correct, as the names suggest the Provider will provide changes to the consumer(s). In some circumstances it is possible (although extrememly bad practice) to impersonate the provider to make a change on a consumer, but the consumer will not notify any other nodes as it that is the role of the provider. A 'normal' LDAP system consists of a provider who feeds all data to consumers. The consumers receive changes ONLY from the provider and the provider will receive updates from your clients. There are other situations (multiple-tier systems, multiple providers, etc) that require quite a bit more knowledge to configure. Consumers are able to refer updates to the provider using referrals. For more information search the list archives for referrals. Mark

2 1

ldapadd doubt
by Irfaz 16 Apr '07

16 Apr '07

Hi. I am not able to add an entry to ldap server..It was added initially and I have deleted using ldap_delete_ext API..I am not able to add that entry later.... mpmc-tester2:/usr/local/libexec# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f example.ldif Enter LDAP Password: adding new entry "dc=my-domain,dc=com" ldap_add: Already exists (68) while listing the contents from server, ldap search only displays Returned dn : dc=my-domain,dc=com objectClass : dcObject objectClass : organization o : Example Company dc : my-domain That means cn=Manager,dc=my-domain,dc=com is not yet added to server , and is not existing , only dc=my-domain,dc=com exists.......... Please guide me to add cn=Manager,dc=my-domain,dc=com to openLDAP....... My ldif file is as follows: dn: dc=my-domain,dc=com dc: my-domain objectClass: organization objectClass: domainRelatedObject objectClass: dcObject o: my-domain, Inc. description: location 1 associatedDomain: my-domain.com dn: cn=Manager,dc=my-domain,dc=com cn: Manager objectClass: organizationalRole Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

2 1

slapo-chain
by Joshua M. Miller 16 Apr '07

16 Apr '07

Is the slapo-chain overlay implemented in version 2.3.34 of OpenLDAP? I have compiled with: --enable-overlays=mod support and I get an error on slaptest when specifying the chain overlay: # slaptest overlay "chain" not found slaptest: bad configuration file! After reviewing the man page for slapo-chain it looks almost like I should load the back-ldap module to support chaining but this introduced another error so I'm not sure. Is slapo-chain supported in 2.3.34? TIA, -- Joshua M. Miller - RHCE,VCP

3 3

syncrepl and openLDAP sync feature
by Irfaz 16 Apr '07

16 Apr '07

Slapd Provider - OpenLDAP 2.4 Slapd Consumer - OpenLDAP 2.4 : running on 2 boards >From provider to consumer replication is possible A Client connected to provider - C test code that uses sync APis is working fine... A Client connected to consumer - C test code using Sync Apis gives "Critical Extension unavailable error". How to resolve this??? More Doubts: Provider side/consumer side : suppose 3 clients are there.........if one client modifies an entry , will all the other clients will be able to get notification simultaneously. Can Clients in provider side be notified about changes happened to a client in consumer side.... I am just testing to learn more about open LDAP sync feature..so any input given will help me to reach my goal faster ........... Thanks for any help given.......... Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007