Replication with Open LDAP
by Jools
Hi All,
I'm half way through implementing and LDAP Master/Slave setup and have ground to
a halt on replication.
I have LDAP working fine on the master and Samba works fine with it but I can't
get the slurpd to push changes to the slave.
When I try I get the following:
Apr 5 15:15:37 smb7 slapd[5578]: fd=16 DENIED from unknown (172.20.0.105)
I have the following in slapd.conf on the master:
replica host=172.20.0.107:389
binddn="cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
bindmethod=simple credentials=??????????? (omitted for obvious
reasons)
and this on the slave:
# Replicas running syncrepl as non-rootdn
"cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
limits group="cn=Replicator,dc=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
size=unlimited
time=unlimited
# ACL ensuring replicator has write access
access to *
by group="cn=Replicator,ou=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * read
# Replica configuration (if this server is a slave)
updatedn "cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
updateref "ldap://172.20.0.105"
I've created a group called Replicator and a user in it called Replicator but I
keep getting the fd16 message.
Any suggestions and also which files do you need to check out.
Cherrs,
jools
16 years, 8 months
Access Control: Limiting based on regex
by Alexander Skwar
Hello.
Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control,
I find the following:
<access directive> ::= access to <what>
[by <who> <access> <control>]+
<what> ::= * |
[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[filter=<ldapfilter>] [attrs=<attrlist>]
<basic-style> ::= regex | exact
<scope-style> ::= base | one | subtree | children
<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
<who> ::= * | [anonymous | users | self
| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
[peername[.<basic-style>]=<regex>]
[sockname[.<basic-style>]=<regex>]
[domain[.<basic-style>]=<regex>]
[sockurl[.<basic-style>]=<regex>]
[set=<setspec>]
[aci=<attrname>]
<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x|0}+
<control> ::= [stop | continue | break]
I'm particularly interested in the "what" clause:
<what> ::= * |
[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
I understand the term "dn[.<basic-style>]" so, that ".<basic-style>"
is optional and can be left out; ie. there's no need to write
".regex" or ".exact".
But when I write "access to dn=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I cannot start slapd:
Apr 5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $
Apr 5 13:09:51 winds06 asmoore@ra
Apr 5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "attrs" instead.
Apr 5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: bad DN ".*,dc=mylan,dc=net" in to DN clause
Apr 5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
Apr 5 13:09:51 winds06 unparseable log message: "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]"
Apr 5 13:09:51 winds06 unparseable log message: "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>"
Apr 5 13:09:51 winds06 unparseable log message: "<attrlist> ::= <attr> [ , <attrlist> ]"
Apr 5 13:09:51 winds06 unparseable log message: "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children"
Apr 5 13:09:51 winds06 unparseable log message: "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]"
Apr 5 13:09:51 winds06 [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
Apr 5 13:09:51 winds06 [dnattr=<attrname>]
Apr 5 13:09:51 winds06 [realdnattr=<attrname>]
Apr 5 13:09:51 winds06 [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
Apr 5 13:09:51 winds06 [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
Apr 5 13:09:51 winds06 [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
Apr 5 13:09:51 winds06 [aci[=<attrname>]]
Apr 5 13:09:51 winds06 [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
Apr 5 13:09:51 winds06 unparseable log message: "<style> ::= exact | regex | base(Object)"
Apr 5 13:09:51 winds06 unparseable log message: "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex"
Apr 5 13:09:51 winds06 unparseable log message: "<attrstyle> ::= exact | regex | base(Object) | on"
Apr 5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped.
Apr 5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_destroy: nothing to destroy.
It seems to me, that ".regex" or ".exact" is required, because when
I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I can start slapds just fine.
Is this intended?
I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted
line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $"?)
Best regards,
Alexander Skwar
16 years, 8 months
LDAP sync only : no replication between servers
by Irfaz
Thanks for all ur past replies........
I am a beginner in openLDAP field.....I am just started get familiarize with
openLDAP features...
Curently I am working on to test LDAP sync feature.
My openLDAP server is running on suselinux machine and I have written a test
code that acts as a client , trying to bind with the server.
Slapd.conf , ldif file all have been configured and I am able to perform add
, delete and other operations.
I want the clients to be notified about the changes that have happened in
the server......
My objective initially is a single server multiple client
communication......
As I mentioned earlier I am using ldap sync APIs , first initialised the
sync structure by calling ldap_sync_initialize and then calling
ldap_sync_int after
getting a suucessful connection and binding it to the server , and other
necessary structure fields are also assigned respectively.....
But "Unavilable critical extension is thrown"
The solution given was to use slapd as a provider and use
slapo-syncprov.....
so my ldap server is the slapd provider but there are no consumers
here.......
slapd.conf is modified to include syncprov overlays in the server side
...but I dont know what more to be done in the client side.........The error
was not been able to resolve....
I was not able to get information required by me from any where........
I wanted to use only LDAP content synchronisation protocol.........sync repl
is not considered now....
It will be so thankful if u can provide me some guidelines in this
aspect.........
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 8 months
why '{SSHA}***' method is "Invalid credentials (49)"?
by Rocky Zhou
Now I'm making the openldap and Kerberos working together, I have a question
about the password the ldap used. The configuration file
/usr/local/etc/openldap/slapd.conf has these lines:
# rootpw secret
rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ
while the second line is generated by slappasswd, I tried to use:
sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ'
to import accounts info into the database, but it reports:
ldap_bind: Invalid credentials (49)
If I use:
rootpw secret
sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
passwd.ldif -w 'secret', it works.
So why does the '{SSHA}' method failed?
Thanks.
16 years, 8 months
startup costs was Re: filter preprocessing for performance improvement
by Eric Irrgang
I have a big problem whenever I have to restart a server. Obviously, the
first search for objectclass=* is going to enumerate the whole directory.
The problem is that even an anonymous user can cause the server to execute
this search on the backend even though the ACLs and limits will keep them
from getting any results. All it takes is a few poorly configured client
applications to do some sort of poll and I have connections hanging for
half an hour until the first objectclass=* search finishes. I run out of
threads and every one of them is constantly trying to get CPU time.
What I currently do is to keep a machine from being accessible by taking
it out of the load-balancer's rotation for the half hour or so that it
takes for me to do a search for objectclass=*, but I figure there has got
to be another way. I have both eq and pres indexes on objectclass. It's
just that I have a very big directory.
I'm not trying to speed up the objectclass=* search. I'm trying to figure
out how to keep it from impacting the server's responsiveness when it is
being performed under circumstances where no entries will be returned,
such as when sizelimits or ACLs (which are evaluated at the frontend after
the backend has performed the operation, right) will block things. Any
suggestions?
One thing I just thought of would be to have a single entry that would
always be accessible to any searcher and then set 'limits anonymous
size=1'. Would that cause the backend operation to be canceled once the
first entry were returned? That might save me something.
On Fri, 2 Mar 2007, Howard Chu wrote:
> (objectclass=*) is already a no-op in back-bdb/back-hdb. I made that
> optimization back in November 2001.
>
> So yes, it's a nice idea, been there, done that.
>
>> I have a problem in that the first time someone performs a search for
>> 'objectclass=*' after slapd is restarted, the server is really bogged down
>> for a while. Once the search has completed once, this is not a problem. I
>> assume that's due to the IDL cache. However, I currently have to keep the
>> server unavailable after restarting slapd for upwards of half an hour while
>> I do an 'objectclass=*' search the first time.
>
> Changing the behavior of (objectclass=*) isn't going to make any difference.
> If you specify a filter that is too broad, then slapd has to trawl through
> every entry in the DB because every entry satisfies the condition.
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342
16 years, 8 months
Addressbook ACL woes
by Bernhard D Rohrer
Hi Folks
I have the following ACL
# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha
by dn.regex="uid=$1,ou=accounts,dc=graylion,dc=net" write
by dn.regex="cn=admin,dc=graylion,dc=net" read
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
attrs=children
by dn.regex="uid=$1,ou=accounts,dc=graylion,dc=net" write
by dn.regex="cn=admin,dc=graylion,dc=net" read
by users none
when I try to create an addressbook entry I get the following error message:
Apr 4 19:27:31 collab slapd[32121]: conn=30 op=4 ADD
dn="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 4 19:27:31 collab slapd[32121]: conn=29 op=5 ADD
dn="uid=3c1fe30f930ea6cf1c0a85cd76d2b52d,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 4 19:27:31 collab slapd[32121]: conn=29 op=5 RESULT tag=105 err=50
text=no write access to parent
Apr 4 19:27:31 collab slapd[32121]: conn=30 op=4 RESULT tag=105 err=0 text=
even though it just added the parent?? consecutive attempts do not bring
any help.
any help appreciated
cheers
Bernhard
--
Graylion's Fetish & Fashion Store
Goth and Kinky Boots, Clothing and Jewellery
http://www.graylion.net
16 years, 8 months
LDAP C API : Sync prtocol
by Irfaz
Hi ,
I was not able to get much information about ldap_sync Apis usage
and other configuration for achieving client notification about changes
happened in server....
The information provided in the man page for ldap_sync APis is very limited
and it is a comman page for all sync APis...
Firstly I am initializing the ldap sync structure using ldap_sync_initialize
and then pass this struct to ldap_sync_init as a part of basic
testing....but ldap_sync_init is not successful...
Critical Extension unavailable error is thrown...
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 8 months
Persistent search doubt
by Irfaz
Hi..
I was trying to create persistent search and entry change
notification controls to achieve client notification(LCUP protocol) using
OpenLDAP C Apis in linux ...
The control has to be made critical for the server to return the
controls(ldap_get_entry_controls) in Entry change notification .....but
"Unavilable critical extension" is thrown
Please provide me ur suggestions to solve this...
Irfaz Sait
Software Engineer
Huawei Technologies India Pvt. Ltd.
INNOVATION NEVER STOPS!
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 8 months