openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

Roles
by Russell Seymour 15 Jun '07

15 Jun '07

Good afternoon all, I have two containers within my OpenLDAP directory: ou=roles,ou=Dummy Corp,ou=clients,ou=directory,ou=base ou=contacts,ou=Dummy Corp,ou=clients,ou=directory,ou=base As you would expect I have an entries in the contact list for people in the company that I have an entry for, e.g. cn=Russell Seymour,ou=contacts,ou=Dummy Corp,ou=clients,ou=directory,ou=base this has all the attributes such as address and email etc. Now in the ou for Roles contains the entry cn=Director,ou=roles,ou=Dummy Corp,ou=clients,ou=directory,ou=base and in this entry I have the roleOccupant, which has the full DN for the person in the contacts list. The question is, is it possible to link the roleOccupant to the person within an ldapsearch so that when I query the Director of the company i get the details of the person that it is linked to? Thanks, Russell

2 2

Password change problem after adding ppolicy
by Simon Gao 15 Jun '07

15 Jun '07

Hi, I am trying to make ppolicy work when chain overlay is also configured. Password lockout works. But changing password stopped working after adding ppolicy. Here is part of log for changing password on a client that binds to one consumer: ============================================================================== Jun 11 17:20:18 ldap2 slapd[4090]: do_modify Jun 11 17:20:18 ldap2 slapd[4090]: do_modify: dn (uid=user1,ou=people,dc=example,dc=com) Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: modifications: Jun 11 17:20:18 ldap2 slapd[4090]: replace: userPassword Jun 11 17:20:18 ldap2 slapd[4090]: one value, length 41 Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD dn="uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD attr=userPassword Jun 11 17:20:18 ldap2 slapd[4090]: bdb_dn2entry("uid=user1,ou=people,dc=example,dc=com") Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: msgid=8 tag=103 err=10 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: ref="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 RESULT tag=103 err=10 text= =============================================================================== Even though both old and new password were given, they seems not being passed over to provider. With chain overlay, how should I set up ppolicy so that real user's password being passed along to provider properly? My provider slapd.conf set up is: ..... index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq overlay ppolicy ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Simon

3 4

more about perl backend and external perl modules
by Piotr Wadas 14 Jun '07

14 Jun '07

------------- root@gnp43:/home/pwadas# slapd -4 -d3872 -h ldap://192.168.0.221/ ldapi:/// @(#) $OpenLDAP: slapd 2.3.35 (May 12 2007 16:57:50) $ root@gnp43.internetdsl.tpnet.pl:/home/pwadas/SRC/SLAPD-NEW/openldap-2.3.35/servers/slapd Error Can't load '/usr/lib/perl/5.8/auto/POSIX/POSIX.so' for module POSIX: /usr/lib/perl/5.8/auto/POSIX/POSIX.so: undefined symbol: PL_sig_name at /usr/lib/perl/5.8/XSLoader.pm line 70. at /usr/lib/perl/5.8/POSIX.pm line 26 Compilation failed in require at /etc/ldap/PerlBackend.pm line 26. BEGIN failed--compilation aborted at /etc/ldap/PerlBackend.pm line 26. Compilation failed in require at (eval 2) line 1. BEGIN failed--compilation aborted at (eval 2) line 1. WARNING: No dynamic config support for database perl. Can't call method "init" on an undefined value. root@gnp43:/home/pwadas# root@gnp43:~/SRC/SLAPD-NEW# perl --version This is perl, v5.8.8 built for i486-linux-gnu-thread-multi ------------ Hello, I got the above error, when I try to start slapd, with perl backends, and some "use" lines in script. No matter what perl package I try to use (POSIX, DBI, whatever), I get similar error regarding perl library. I tried to rebuild perl and its modules, and rebuild openldap (tried 2.3.30 and 2.3.35 versions), with no effect. Is there some limitation on perl backend, because of kind of the way it's embedded into slapd, which actually disallow usage of external modules? It seems slapd runs fine, when I don't put any "use" lines into backend perl file (*.pm) Should I try without threading, or what? I've seen this thing being reported a few times on various lists, including some linux distribution bugzillas, anyway there was no answer, see e.g. this https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/90812 This slapd 2.3.35 was built with the following options: --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-aci --enable-cleartext --enable-crypt --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slp --enable-wrappers --enable-backends=mod --enable-overlays=mod --enable-slurpd --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls --enable-bdb=mod --enable-dnssrv=mod --enable-hdb=mod --enable-ldap=mod --enable-ldbm=mod --enable-meta=mod --enable-monitor=mod --enable-null=mod --enable-passwd=mod --enable-perl=mod --enable-relay=mod --enable-shell=mod --enable-sql=mod --enable-accesslog=mod --enable-auditlog=mod --enable-denyop=mod --enable-dyngroup=mod --enable-dynlist=mod --enable-lastmod=mod --enable-ppolicy=mod --enable-proxycache=mod --enable-refint=mod --enable-retcode=mod --enable-rwm=mod --enable-syncprov=mod --enable-translucent=mod --enable-unique=mod --enable-valsort=mod and the part from slapd.conf (of course the same happens with only one directory in perlModulePath, containing PerlBackend.pm) database perl suffix "dc=example" perlModulePath /etc/ldap /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl perlModule PerlBackend "PerlBackend.pm" is the file from slapd distribution, SampleLDAP, I just renamed it. Regards, Piotr

2 2

Limiting attributes through ACL
by Dan Ciarniello 14 Jun '07

14 Jun '07

I am trying to set up OpenLDAP to return all attributes for a given set of entries when accessed by an authenticated user but only a subset of the attributes when accessed anonymously but I can't figure out how to set up the ACL to do this. As an example, I have a directory entry ou=People with a number of inetOrgPerson subentries. When accessed anonymously, I would like only the cn attribute of the entries to be returned. Is this possible? If so, how do I set it up? Thanks, Dan.

2 1

Re: indexes and multiple values
by Quanah Gibson-Mount 14 Jun '07

14 Jun '07

--On Thursday, June 14, 2007 3:30 PM +0200 David Schmitter <schmitt(a)dataflow.ch> wrote: >> Perhaps you added an index after the >> data already existed, and forgot to run slapindex? >> > > That was exactly the problem. Glad it worked! Please remember to keep replies on the list, thanks! --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

is it possible to configure openldap to return latest modified entries first without using sorting feature?
by Zhang Weiwu 14 Jun '07

14 Jun '07

Dear list As the project I am working on requires, all ldap search results should return latest-modified entry first. This requirement have many practical reason behind it and is an important requirement. I solve this problem by always invoke ldap search with 'sort' option. I believe by doing so I have lowered down performance, especially the search result is often several thousands records. Now the server is overburden. I have noticed if I don't use sort feature, the result is always the reverse of the project requirement: last modified entries are displayed last. (project requirement is: last modified entries are displayed first.) The project requirement will not likely to change in a few years time, so I think perhaps we can enhance performance by reconfiguring openldap to reverse sort order -> not possible on OpenLDAP itself but I guess probably by configuring BDB backend, to ask it to 'save' data in the opposite way, and by doing so make future search result automatically 'sorted'. So far, it's my dream and my wild guess. I am digging into BDB documents to find out if such configuration is possible and also write the list see if experts knows this possibility already. And, I wouldn't be surprised if BDB cannot be configured the way I like, but, it's stupid not to ask the list just in case if it's possible Thanks a lot in advance! -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

4 5

BDB checkpointing overhead
by Bill Johnstone 13 Jun '07

13 Jun '07

Hello. If I use the checkpointing feature in the bdb backend, if there were no changes made to the directory since the previous checkpoint, is there any overhead other than waking up the code to check to see if the database is to be synced? If there are no unsynced changes, does anything get written to disk or logged in any way when the checkpointing code wakes up? Thank you. ____________________________________________________________________________________ Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games. http://games.yahoo.com/games/front

3 2

could not stat config file "%SYSCONFDIR%/schema/core.schema": No such file or directory (2)
by Joe Flowers 13 Jun '07

13 Jun '07

This has got to be something simple, but it's just not surfacing for me today.... Arg.... This is what I am getting after running "slapd -d 1" inside of MSYS: "could not stat config file "%SYSCONFDIR%/schema/core.schema": No such file or directory (2)" Joe ---------------------------------------------------------------------------------------------- 1. This is what the environment variable "SYSCONFDIR" looks like inside of MSYS by issuing the "set" command: SYSCONFDIR=/local/etc/openldap ---------------------------------------------------------------------------------------------- 2. mae@JLF /local/libexec $ ls -la /local/etc/openldap/schema/core.schema -r--r--r-- 1 mae Administ 20353 Jun 12 15:36 /local/etc/openldap/schema/core.schema mae@JLF /local/libexec ---------------------------------------------------------------------------------------------- 3. Error running "slapd -d 1" inside of MSYS: mae@JLF /local/libexec $ slapd -d 1 @(#) $OpenLDAP: slapd 2.3.35 (May 21 2007 16:51:47) $ @JLF:/home/Joe/openldap-2.3.35/servers/slapd daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 1 listeners opened slapd.exe init: initiated server. bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.5.20: (September 20, 2006) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.5.20: (September 20, 2006) could not stat config file "%SYSCONFDIR%/schema/core.schema": No such file or directory (2) slapd.exe destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. mae@JLF /local/libexec ----------------------------------------------------------------------------------------------

2 1

"make test" failed on test019 1st & then all subsequent tries: test017 failure.
by Joe Flowers 12 Jun '07

12 Jun '07

Any educated ideas why? Thanks! Joe ---------------------------------------------------------------------------- 2nd and subsequent "make test" ended in this: >>>>> Starting test017-syncreplication-refresh ... running defines.sh Starting master slapd on TCP/IP port 9011... Using ldapsearch to check that master slapd is running... Using ldapadd to create the context prefix entry in the master... Starting slave slapd on TCP/IP port 9012... Using ldapsearch to check that slave slapd is running... Using ldapadd to populate the master directory... Waiting 15 seconds for syncrepl to receive changes... Using ldapmodify to modify master directory... Waiting 15 seconds for syncrepl to receive changes... Try updating the slave slapd... ldapmodify should have failed (1)! >>>>> ./scripts/test017-syncreplication-refresh failed (exit 1) make[2]: *** [bdb-yes] Error 1 make[2]: Leaving directory `/home/Joe/openldap-2.3.35/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/Joe/openldap-2.3.35/tests' make: *** [test] Error 2 mae@JLF /home/Joe/openldap-2.3.35 $ ---------------------------------------------------------------------------- 1st "make test" ended in this: Filtering R1 slave ldapsearch results... Filtering R2 slave ldapsearch results... Filtering P1 slave ldapsearch results... Filtering P2 slave ldapsearch results... Filtering P3 slave ldapsearch results... Comparing retrieved entries from master and R1 slave... test failed - master and R1 slave databases differ >>>>> ./scripts/test019-syncreplication-cascade failed (exit 1) make[2]: *** [bdb-yes] Error 1 make[2]: Leaving directory `/home/Joe/openldap-2.3.35/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/Joe/openldap-2.3.35/tests' make: *** [test] Error 2 mae@JLF /home/Joe/openldap-2.3.35 $ ----------------------------------------------------------------------------

3 2

slurpd replication and openldap versions
by Matthias Leopold 12 Jun '07

12 Jun '07

hi i want to know in general what the caveats are when replicating ldap data with slurpd between openldap servers of different major versions. i would be especially interested in knowing if it is adviseable to replicate from a 2.3 master to 2.2 slaves (or the other way round). the reason for asking this is that i have noticed that in the present setup replication from 2.0 to 2.2 produces .rej files which are 10 times bigger than those resulting from "same generation" (2.0 <-> 2.0) replication. or are there any special configuration options for this situation? thanks for help matthias -- Mit freundlichen Grüssen Matthias Leopold System & Network Administration Streams Telecommunications GmbH Universitaetsstrasse 10/7, 1090 Vienna, Austria tel: +43 1 40159113 fax: +43 1 40159300 ------------------------------------------------

4 3

← Newer
1
...
4
5
6
7
8
9
10
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007