no TLS connections
by Fabrice Eudes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
TLSCACertificateFile /etc/ldap/certificates/cacert.pem
TLSCertificateFile /etc/ldap/certificates/servercert.pem
TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem
TLSVerifyClient never
c. In /etc/ldap/ldap.conf, i wrote:
TLS_CACERT /etc/ldap/certificates/cacert.pem
TLS_REQCERT never
I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?
the request « ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ » seems all right
as it returns all the directory entries but in syslog (i put «loglevel
15» in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: >>>
slap_listener(ldap://arwen.grenier.ambre:389/)
Apr 18 23:15:25 localhost slapd[6727]: daemon: listen=6, new connection
on 11
Apr 18 23:15:25 localhost slapd[6727]: daemon: added 11r (active)
listener=(nil)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_extended
Apr 18 23:15:25 localhost slapd[6727]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_extended: err=0 oid= len=0
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=1
tag=120 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): unable to
get TLS client DN, error=49 id=8
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_bind
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>,
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: do_bind: version=3
dn="cn=root,dc=irem,dc=univ-lille1,dc=fr" method=128
Apr 18 23:15:25 localhost slapd[6727]: ==> bdb_bind: dn:
cn=root,dc=irem,dc=univ-lille1,dc=fr
Apr 18 23:15:25 localhost slapd[6727]: do_bind: v3 bind:
"cn=root,dc=irem,dc=univ-lille1,dc=fr" to
"cn=root,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=1 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=2
tag=97 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_search
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>, <dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: SRCH
"dc=irem,dc=univ-lille1,dc=fr" 2 0
Apr 18 23:15:25 localhost slapd[6727]: 0 0 0
Apr 18 23:15:25 localhost slapd[6727]: filter: (objectClass=*)
Apr 18 23:15:25 localhost slapd[6727]: attrs:
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: => bdb_search
Apr 18 23:15:25 localhost slapd[6727]:
bdb_dn2entry("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: search_candidates:
base="dc=irem,dc=univ-lille1,dc=fr" (0x00000056) scope=2
Apr 18 23:15:25 localhost slapd[6727]: =>
bdb_dn2idl("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: => bdb_presence_candidates
(objectClass)
Apr 18 23:15:25 localhost slapd[6727]: bdb_search_candidates: id=-1
first=1 last=171
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "cn=admin,dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <=
entry_decode(cn=admin,dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("domain")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
[ ... more search results ... ]
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="uid=arlette.lengaigne,ou=personnes,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=2 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=3
tag=101 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=0 (Success)
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): input
error=-2 id=8, closing.
Apr 18 23:15:25 localhost slapd[6727]: connection_closing: readying
conn=8 sd=11 for close
Apr 18 23:15:25 localhost slapd[6727]: connection_close: deferring
conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_unbind
Apr 18 23:15:25 localhost slapd[6727]: connection_resched: attempting
closing conn=8 sd=11
Apr 18 23:15:25 localhost slapd[6727]: connection_close: conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: removing 11
I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).
And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.
thanks for your help.
- --
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGJo2RC7KnmYisOmYRAlqUAJ9hyv9dwGIVLOXyN7Cvjy7MRKCyfQCg1ZSL
Gti/xrhf/V1yCuQnZOELHRI=
=qTSn
-----END PGP SIGNATURE-----
16 years, 1 month
Building OpenLDAP 3.3.35 with Kerberos on SLES9
by Andrew Scott
Hello all,
I've been pulling hair out in tufts over the last week trying to get
OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines
(AMD64). I've spent hours searching the mailing lists and Google. All
I could find were messages from several years ago admonishing people for
not searching, or questions with no answers.
Anyway, I finally got it, which leads to my question below.
First, this machine is SLES9, Service Pack Three. SuSE provides the
Heimdal Kerberos implementation. It also has Cyrus SASL. For some
strange reason, the OpenLDAP packages SuSE supplies for SLES9 do not
have Kerberos compiled in, so I went and grabbed the openldap-2.3.35
tarball and set about trying to build it.
The biggest problem is the configure script completely ignores the
-with-kerberos option. Completely. I've searched, and I can't find any
mention of why this is.
Starting at line 18,158 in the configure script, I found this block:
----
ol_link_kbind=no
ol_link_krb5=no
ol_link_krb4=no
case $ol_with_kerberos in yes | auto | k5 | k5only | k425)
----
Changing "ol_link_krb5" to "yes" had no effect. But changing
"ol_link_krb5" to "yes" AND adding the line "ol_with_kerberos=yes" right
above the case statement got the configure script to actually start
looking for Kerberos libraries and headers. After that, it was just a
matter of setting the right CCFLAGS and LDFLAGS environment variables so
configure could find the headers and libraries. Once all that was in
place, it built like a champ and seems to be working.
So my question is, why does "-with-kerberos" not work anymore? Is this
a conscious decision, or a bug?
Thanks!
Andrew Scott
Louisville, KY
16 years, 1 month
FW: Sync repl
by Irfaz
The error I was getting in the below mentioned case while running the
following comment on the slave was :
ldapsearch -x -D dc=my-domain,dc=com -w secret -H ldap://masterip -b
dc=my-domain,dc=com -s base contextCSN
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
Please provide me your valuable inputs to proceed further...
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
_____
From: Irfaz [mailto:irfazs@huawei.com]
Sent: Tuesday, April 17, 2007 15:39
To: 'openldap-software(a)openldap.org'
Subject: Sync repl
using syncrepl to replicate will they the slave server automatically takes
the contenst from server or some commands has to be executed.????
I am not able to get the replication
master : slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
database monitor
loglevel 55
master : example.ldif
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: organization
objectClass: domainRelatedObject
objectClass: dcObject
o: my-domain, Inc.
description: location 1
associatedDomain: my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
cn: Manager
objectClass: organizationalRole
dn: ou=user,dc=my-domain,dc=com
ou: user
description: location 1
objectClass: organizationalUnit
dn: cn=u1,ou=user,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: top
givenName: irfaz
uid: 1
mail: 1(a)gmail.com
sn: SURNAMEu1
cn: u1
dn: cn=u2,ou=user,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: top
givenName: sharfaz
uid: 2
mail: 2(a)gmail.com
sn: SURNAMEu2
cn: u2
/* Provider slapd.conf */
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
syncrepl rid=125
provider=ldap://localhost:9011
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=my-domain,dc=com"
filter="(objectClass=organizationalPerson)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=my-domain,dc=com"
credentials=secret
Advance thanks for any comments given!!!!!!!!!!!!!!
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 1 month
Consumer server : syncrepl
by Irfaz
Hi..
If syncrepl works fine and master contents are replicated to a slave
server...can the slave server add a new entry of its own and then notify the
change to master(provider)????......
Can slave server has its own clients to access the slave server for
information directly????/
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 1 month
Sync repl
by Irfaz
using syncrepl to replicate will they the slave server automatically takes
the contenst from server or some commands has to be executed.????
I am not able to get the replication
master : slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
database monitor
loglevel 55
master : example.ldif
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: organization
objectClass: domainRelatedObject
objectClass: dcObject
o: my-domain, Inc.
description: location 1
associatedDomain: my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
cn: Manager
objectClass: organizationalRole
dn: ou=user,dc=my-domain,dc=com
ou: user
description: location 1
objectClass: organizationalUnit
dn: cn=u1,ou=user,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: top
givenName: irfaz
uid: 1
mail: 1(a)gmail.com
sn: SURNAMEu1
cn: u1
dn: cn=u2,ou=user,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: top
givenName: sharfaz
uid: 2
mail: 2(a)gmail.com
sn: SURNAMEu2
cn: u2
/* Provider slapd.conf */
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
syncrepl rid=125
provider=ldap://localhost:9011
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=my-domain,dc=com"
filter="(objectClass=organizationalPerson)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=my-domain,dc=com"
credentials=secret
Advance thanks for any comments given!!!!!!!!!!!!!!
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 1 month
SyncRepl on Request?
by hadmut@danisch.de
Hi,
I'd like to use SyncReplication on some Notebooks with local ldap
servers to be updated whenever they connect to the Home LAN.
Unfortunately, the syncrepl directive uses a fixed time interval.
I would need a way to run the replication on request and only on
request, i.e.
- run when the notebook is connected to the home lan, whatever
time
- do not run when the notebook is not connected to the home lan
The best way would be to run replication only when triggered through
an external command.
Any way to achieve that?
regards
Hadmut
16 years, 1 month
RE: syncrepl and openLDAP sync feature
by Mark Mcdonald
Joachim Hergeth (GTS) <mailto:jhergeth@freenet.de> wrote on Monday, April 16,
2007 10:58 PM:
> To my knowledge and experience it is not possible to change data in an
> LDAP-consumer. You have to change the data in the producer and it then
> gets forwarded to the consumer by the syncrepl process.
> I observed this in my OpenLDAP installation.
>
> Please correct me if I am wrong or if specific options have to be used to
> enable it.
This is correct, as the names suggest the Provider will provide changes to the consumer(s). In some circumstances it is possible (although extrememly bad practice) to impersonate the provider to make a change on a consumer, but the consumer will not notify any other nodes as it that is the role of the provider.
A 'normal' LDAP system consists of a provider who feeds all data to consumers. The consumers receive changes ONLY from the provider and the provider will receive updates from your clients. There are other situations (multiple-tier systems, multiple providers, etc) that require quite a bit more knowledge to configure.
Consumers are able to refer updates to the provider using referrals. For more information search the list archives for referrals.
Mark
16 years, 1 month
ldapadd doubt
by Irfaz
Hi.
I am not able to add an entry to ldap server..It was added
initially and I have deleted using ldap_delete_ext API..I am not able to add
that entry later....
mpmc-tester2:/usr/local/libexec# ldapadd -x -D
"cn=Manager,dc=my-domain,dc=com" -W -f example.ldif
Enter LDAP Password:
adding new entry "dc=my-domain,dc=com"
ldap_add: Already exists (68)
while listing the contents from server, ldap search only displays
Returned dn : dc=my-domain,dc=com
objectClass : dcObject
objectClass : organization
o : Example Company
dc : my-domain
That means cn=Manager,dc=my-domain,dc=com is not yet added to server , and
is not existing , only dc=my-domain,dc=com exists..........
Please guide me to add cn=Manager,dc=my-domain,dc=com to openLDAP.......
My ldif file is as follows:
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: organization
objectClass: domainRelatedObject
objectClass: dcObject
o: my-domain, Inc.
description: location 1
associatedDomain: my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
cn: Manager
objectClass: organizationalRole
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 1 month
slapo-chain
by Joshua M. Miller
Is the slapo-chain overlay implemented in version 2.3.34 of OpenLDAP? I
have compiled with:
--enable-overlays=mod
support and I get an error on slaptest when specifying the chain overlay:
# slaptest
overlay "chain" not found
slaptest: bad configuration file!
After reviewing the man page for slapo-chain it looks almost like I
should load the back-ldap module to support chaining but this introduced
another error so I'm not sure.
Is slapo-chain supported in 2.3.34?
TIA,
--
Joshua M. Miller - RHCE,VCP
16 years, 1 month
syncrepl and openLDAP sync feature
by Irfaz
Slapd Provider - OpenLDAP 2.4
Slapd Consumer - OpenLDAP 2.4 : running on 2 boards
>From provider to consumer replication is possible
A Client connected to provider - C test code that uses sync APis is working
fine...
A Client connected to consumer - C test code using Sync Apis gives "Critical
Extension unavailable error". How to resolve this???
More Doubts:
Provider side/consumer side : suppose 3 clients are there.........if one
client modifies an entry , will all the other clients will be able to get
notification simultaneously.
Can Clients in provider side be notified about changes happened to a client
in consumer side....
I am just testing to learn more about open LDAP sync feature..so any input
given will help me to reach my goal faster ...........
Thanks for any help given..........
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 1 month
