April 2007 - openldap-software

by Alec Thomas

Hi, I have a similar situation to the one mentioned here: http://www.openldap.org/lists/openldap-software/200607/msg00024.html I was wondering if somebody could clarify why this behaviour is intentional? Alec -- Evolution: Taking care of those too stupid to take care of themselves.

16 years, 8 months

5
7
0 / 0

Replication with Open LDAP

by Jools

Hi All, I'm half way through implementing and LDAP Master/Slave setup and have ground to a halt on replication. I have LDAP working fine on the master and Samba works fine with it but I can't get the slurpd to push changes to the slave. When I try I get the following: Apr 5 15:15:37 smb7 slapd[5578]: fd=16 DENIED from unknown (172.20.0.105) I have the following in slapd.conf on the master: replica host=172.20.0.107:389 binddn="cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" bindmethod=simple credentials=??????????? (omitted for obvious reasons) and this on the slave: # Replicas running syncrepl as non-rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk" limits group="cn=Replicator,dc=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" size=unlimited time=unlimited # ACL ensuring replicator has write access access to * by group="cn=Replicator,ou=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * read # Replica configuration (if this server is a slave) updatedn "cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" updateref "ldap://172.20.0.105" I've created a group called Replicator and a user in it called Replicator but I keep getting the fd16 message. Any suggestions and also which files do you need to check out. Cherrs, jools

16 years, 8 months

5
6
0 / 0

Access Control: Limiting based on regex

by Alexander Skwar

Hello. Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control, I find the following: <access directive> ::= access to <what> [by <who> <access> <control>]+ <what> ::= * | [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [filter=<ldapfilter>] [attrs=<attrlist>] <basic-style> ::= regex | exact <scope-style> ::= base | one | subtree | children <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist> <attr> ::= <attrname> | entry | children <who> ::= * | [anonymous | users | self | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [dnattr=<attrname>] [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>] [peername[.<basic-style>]=<regex>] [sockname[.<basic-style>]=<regex>] [domain[.<basic-style>]=<regex>] [sockurl[.<basic-style>]=<regex>] [set=<setspec>] [aci=<attrname>] <access> ::= [self]{<level>|<priv>} <level> ::= none | auth | compare | search | read | write <priv> ::= {=|+|-}{w|r|s|c|x|0}+ <control> ::= [stop | continue | break] I'm particularly interested in the "what" clause: <what> ::= * | [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] I understand the term "dn[.<basic-style>]" so, that ".<basic-style>" is optional and can be left out; ie. there's no need to write ".regex" or ".exact". But when I write "access to dn=".*,dc=mylan,dc=net" attr=userPassword" in my slapd.conf, I cannot start slapd: Apr 5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $ Apr 5 13:09:51 winds06 asmoore@ra Apr 5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "attrs" instead. Apr 5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: bad DN ".*,dc=mylan,dc=net" in to DN clause Apr 5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ Apr 5 13:09:51 winds06 unparseable log message: "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]" Apr 5 13:09:51 winds06 unparseable log message: "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>" Apr 5 13:09:51 winds06 unparseable log message: "<attrlist> ::= <attr> [ , <attrlist> ]" Apr 5 13:09:51 winds06 unparseable log message: "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children" Apr 5 13:09:51 winds06 unparseable log message: "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]" Apr 5 13:09:51 winds06 [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] Apr 5 13:09:51 winds06 [dnattr=<attrname>] Apr 5 13:09:51 winds06 [realdnattr=<attrname>] Apr 5 13:09:51 winds06 [group[/<objectclass>[/<attrname>]][.<style>]=<group>] Apr 5 13:09:51 winds06 [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] Apr 5 13:09:51 winds06 [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] Apr 5 13:09:51 winds06 [aci[=<attrname>]] Apr 5 13:09:51 winds06 [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] Apr 5 13:09:51 winds06 unparseable log message: "<style> ::= exact | regex | base(Object)" Apr 5 13:09:51 winds06 unparseable log message: "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex" Apr 5 13:09:51 winds06 unparseable log message: "<attrstyle> ::= exact | regex | base(Object) | on" Apr 5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped. Apr 5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_destroy: nothing to destroy. It seems to me, that ".regex" or ".exact" is required, because when I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword" in my slapd.conf, I can start slapds just fine. Is this intended? I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $"?) Best regards, Alexander Skwar

16 years, 8 months

2
1
0 / 0

LDAP sync only : no replication between servers

by Irfaz

Thanks for all ur past replies........ I am a beginner in openLDAP field.....I am just started get familiarize with openLDAP features... Curently I am working on to test LDAP sync feature. My openLDAP server is running on suselinux machine and I have written a test code that acts as a client , trying to bind with the server. Slapd.conf , ldif file all have been configured and I am able to perform add , delete and other operations. I want the clients to be notified about the changes that have happened in the server...... My objective initially is a single server multiple client communication...... As I mentioned earlier I am using ldap sync APIs , first initialised the sync structure by calling ldap_sync_initialize and then calling ldap_sync_int after getting a suucessful connection and binding it to the server , and other necessary structure fields are also assigned respectively..... But "Unavilable critical extension is thrown" The solution given was to use slapd as a provider and use slapo-syncprov..... so my ldap server is the slapd provider but there are no consumers here....... slapd.conf is modified to include syncprov overlays in the server side ...but I dont know what more to be done in the client side.........The error was not been able to resolve.... I was not able to get information required by me from any where........ I wanted to use only LDAP content synchronisation protocol.........sync repl is not considered now.... It will be so thankful if u can provide me some guidelines in this aspect......... Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

16 years, 8 months

1
0
0 / 0

why '{SSHA}***' method is "Invalid credentials (49)"?

by Rocky Zhou

Now I'm making the openldap and Kerberos working together, I have a question about the password the ldap used. The configuration file /usr/local/etc/openldap/slapd.conf has these lines: # rootpw secret rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ while the second line is generated by slappasswd, I tried to use: sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ' to import accounts info into the database, but it reports: ldap_bind: Invalid credentials (49) If I use: rootpw secret sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w 'secret', it works. So why does the '{SSHA}' method failed? Thanks.

16 years, 8 months

4
3
0 / 0

startup costs was Re: filter preprocessing for performance improvement

by Eric Irrgang

I have a big problem whenever I have to restart a server. Obviously, the first search for objectclass=* is going to enumerate the whole directory. The problem is that even an anonymous user can cause the server to execute this search on the backend even though the ACLs and limits will keep them from getting any results. All it takes is a few poorly configured client applications to do some sort of poll and I have connections hanging for half an hour until the first objectclass=* search finishes. I run out of threads and every one of them is constantly trying to get CPU time. What I currently do is to keep a machine from being accessible by taking it out of the load-balancer's rotation for the half hour or so that it takes for me to do a search for objectclass=*, but I figure there has got to be another way. I have both eq and pres indexes on objectclass. It's just that I have a very big directory. I'm not trying to speed up the objectclass=* search. I'm trying to figure out how to keep it from impacting the server's responsiveness when it is being performed under circumstances where no entries will be returned, such as when sizelimits or ACLs (which are evaluated at the frontend after the backend has performed the operation, right) will block things. Any suggestions? One thing I just thought of would be to have a single entry that would always be accessible to any searcher and then set 'limits anonymous size=1'. Would that cause the backend operation to be canceled once the first entry were returned? That might save me something. On Fri, 2 Mar 2007, Howard Chu wrote: > (objectclass=*) is already a no-op in back-bdb/back-hdb. I made that > optimization back in November 2001. > > So yes, it's a nice idea, been there, done that. > >> I have a problem in that the first time someone performs a search for >> 'objectclass=*' after slapd is restarted, the server is really bogged down >> for a while. Once the search has completed once, this is not a problem. I >> assume that's due to the IDL cache. However, I currently have to keep the >> server unavailable after restarting slapd for upwards of half an hour while >> I do an 'objectclass=*' search the first time. > > Changing the behavior of (objectclass=*) isn't going to make any difference. > If you specify a filter that is too broad, then slapd has to trawl through > every entry in the DB because every entry satisfies the condition. -- Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342

16 years, 8 months

2
1
0 / 0

Addressbook ACL woes

by Bernhard D Rohrer

Hi Folks I have the following ACL # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by dn.regex="uid=$1,ou=accounts,dc=graylion,dc=net" write by dn.regex="cn=admin,dc=graylion,dc=net" read by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$" attrs=children by dn.regex="uid=$1,ou=accounts,dc=graylion,dc=net" write by dn.regex="cn=admin,dc=graylion,dc=net" read by users none when I try to create an addressbook entry I get the following error message: Apr 4 19:27:31 collab slapd[32121]: conn=30 op=4 ADD dn="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" Apr 4 19:27:31 collab slapd[32121]: conn=29 op=5 ADD dn="uid=3c1fe30f930ea6cf1c0a85cd76d2b52d,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" Apr 4 19:27:31 collab slapd[32121]: conn=29 op=5 RESULT tag=105 err=50 text=no write access to parent Apr 4 19:27:31 collab slapd[32121]: conn=30 op=4 RESULT tag=105 err=0 text= even though it just added the parent?? consecutive attempts do not bring any help. any help appreciated cheers Bernhard -- Graylion's Fetish & Fashion Store Goth and Kinky Boots, Clothing and Jewellery http://www.graylion.net

16 years, 8 months

1
0
0 / 0

Can old database(ldbm, openldap-2.0.x) work with new database(ldbm openldap-2.3.27)

by Venkat Reddy Valluri

Hi, I recently installed OpenLdap-2.3.27 on my new redhat ES4. Can I use the old entries(Openldap 2.0.x) database(ldbm) on new Openldap-2.3.27. I copied all the entries and put it on the new server. but I am not able to read them in new server Thks&Rgds --Venkat

16 years, 8 months

4
4
0 / 0

LDAP C API : Sync prtocol

by Irfaz

Hi , I was not able to get much information about ldap_sync Apis usage and other configuration for achieving client notification about changes happened in server.... The information provided in the man page for ldap_sync APis is very limited and it is a comman page for all sync APis... Firstly I am initializing the ldap sync structure using ldap_sync_initialize and then pass this struct to ldap_sync_init as a part of basic testing....but ldap_sync_init is not successful... Critical Extension unavailable error is thrown... Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

16 years, 8 months

2
1
0 / 0

Persistent search doubt

by Irfaz

Hi.. I was trying to create persistent search and entry change notification controls to achieve client notification(LCUP protocol) using OpenLDAP C Apis in linux ... The control has to be made critical for the server to return the controls(ldap_get_entry_controls) in Entry change notification .....but "Unavilable critical extension" is thrown Please provide me ur suggestions to solve this... Irfaz Sait Software Engineer Huawei Technologies India Pvt. Ltd. INNOVATION NEVER STOPS! This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

16 years, 8 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007