openldap-software September 2007

openldap-software@openldap.org

74 participants
88 discussions

Why invalid credentials
by Keryx Info 13 Sep '07

13 Sep '07

Hi all! An LDAP newbie posting for the first time. I can't see why I get error 49 (bad credentials) trying to run ldapadd. My guess is it's a "sasl" thingie.... I was following the tutorial at http://www.howtoforge.com/openldap_fedora7 but got nowhere. The goal is to set up ldap-authentication on a net of FC 7 clients and an FC 7 server. Config files: /etc/ldap.conf: HOST lb.labbnet.ne.keryx.se BASE dc=lb,dc=labbnet,dc=ne,dc=keryx.se ---------- /etc/slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb # Only three lines changed by me suffix "dc=lb,dc=labbnet,dc=ne,dc=keryx,dc=se" rootdn "uid=root,dc=lb,dc=labbnet,dc=ne,dc=keryx,dc=se" rootpw {CRYPT}tecdIjhx8TVq. # Temporary password - I will change it later! directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub ------------- Output of "/usr/bin/ldapadd -x -D 'uid=root,dc=lb,dc=labbnet,dc=ne,dc=keryx.se' -W -f /root/ibunk.ldif -d 1": ldap_initialize( <DEFAULT> ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 ------------- Output of /usr/bin/ldapadd -x -D 'uid=root,dc=lb,dc=labbnet,dc=ne,dc=keryx.se' -W -f /root/ibunk.ldif -d 1 ldap_create Enter LDAP Password: <entered correctly> ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP lb.labbnet.ne.keryx.se:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 62 bytes to sd 4 ldap_result ld 0x9631270 msgid 1 ldap_chkResponseList ld 0x9631270 msgid 1 all 1 ldap_chkResponseList returns ld 0x9631270 NULL wait4msg ld 0x9631270 msgid 1 (infinite timeout) wait4msg continue ld 0x9631270 msgid 1 all 1 ** ld 0x9631270 Connections: * host: lb.labbnet.ne.keryx.se port: 389 (default) refcnt: 2 status: Connected last used: Thu Sep 13 17:11:22 2007 ** ld 0x9631270 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x9631270 Response Queue: Empty ldap_chkResponseList ld 0x9631270 msgid 1 all 1 ldap_chkResponseList returns ld 0x9631270 NULL ldap_int_select read1msg: ld 0x9631270 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x9631270 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x9631270 0 new referrals read1msg: mark request completed, ld 0x9631270 msgid 1 request done: ld 0x9631270 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49)

5 5

Recover db failed
by Sergio Belkin 13 Sep '07

13 Sep '07

I have a problem trying to recover ldap database, error are as follow: slapd_db_recover -h /var/lib/ldap/ -c -v Finding last valid log LSN: file: 1 offset 729642 Recovery starting from [1][28] db_recover: Improper file close at 1/623901 db_recover: Recovery function for LSN 1 623901 failed on forward pass db_recover: PANIC: Invalid argument db_recover: PANIC: fatal region error detected; run recovery db_recover: DB_ENV->open: DB_RUNRECOVERY: Fatal error, run database recovery How can I recover it? Thanks in advance! -- -- Sergio Belkin -

2 1

strcast_func with MySQL
by Kevin Burnett 13 Sep '07

13 Sep '07

When I add the strcast_func "text" to my slapd.conf file, running slapd -d1 gives me an error when the SELECT DISTINCT sql statement is executed. Do I need to have a strcast_func for MySQL backend? If so, what function should I use instead of "text" ? Thanks, Kevin

1 0

Can I remove an existing index?
by Ole Nomann Thomsen 13 Sep '07

13 Sep '07

Hi list. I have a question about an ldap-base that I maintain The base contains about 500,000 records with attribute uid (single value and unique) and code(multi value; typically between 10 and 200 values, 5-50 bytes or more each, not unique). The code attribute is indexed on eq and sub for historical reasons, but the index is no longer needed (if it ever was). The uid attribute is, and will stay, indexed on eq. Tests reveal that updating records can be time consuming when they contain a large number of long codes, sometimes about 1.25 seconds pr. record(!). In contrast to this, when I update without the index, I get around 75 recs/second. Searching is still fast, as I never search for code without uid. So I'm going to drop that index, no doubt about it. The reliable method would be to slapcat-reconfigure-slapadd of course, but that will cost lots of planning and timing (the base is replicated on 3 servers, and is constantly updated, 2 servers must be available at all the time). It is feasible, but it *will* be a pain. So: Can't i simply drop the index from the config file, restart, and thats it? That is, remove the line: index code eq,sub And perhaps the code.dbb file from the database directory? Perhaps slapindex too? Further tests indicate that it works, lookups, updates and everything seem OK. But there is a worrying warning in the logfile: 2007-09-11 12:09:53.742266500 <= bdb_equality_candidates: (code) index_param failed (18) The warning persists after slapindex, but is not there when I search for attributes that was "born" without an index. So will it break eventually? Or do I need to tell the backend something? Background (as much as I can dig up, perhaps too much): OpenLDAP: slapd 2.3.25 Backend: back_bdb, vers 4.2 (Berkeley DB, Btree, version 9) Linux: Debian 2.6.18 Sears filter (always): "(&(uid=...)(code=...))" (experimentally shown to work fine without index on "code") And the same question for: OpenLDAP: slapd 2.2.26 Backend: ldbm (Berkeley DB, Btree, version 8) Linux: Mandrake Linux 9.0 3.2-1mdk Sears filter (always): "(&(uid=...)(code=...))" Thanks for reading this far :-) and for any answers. - Ole Thomsen

2 2

viewing entries using slapcat
by Neo - 13 Sep '07

13 Sep '07

Hi all, I use a ldapbrowser (its open source java ldapbrowser) to view all my openldap entries. Im able to read all the attribute values when i view through the ldapbrowser. But when i do slapcat and generate a ldif file i see some attribute like this mail:: IGF2ZXJ5cG9obG1hbjM3QHdlYnN0ZXIuZWR1 but when i view the same entry in ldapbrowser its fine. Any one know why entry looks encrypted using slapcat. Thanks, ____________________________________________________________________________________ Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/

5 8

dn aliases?
by Ron Parker 12 Sep '07

12 Sep '07

Is there a way to create aliases for dn's? For example, right now I point my client to: rootdn: dc=my,dc=example,dc=com user: cn=Manager,dc=my,dc=example,dc=com org: ou=org,dc=my,dc=example,dc=com Now, I want to create an alias so that the examples below point to those above: rootdn: dc=my,dc=alias,dc=com user: cn=Manager,dc=my,dc=alias,dc=com org: ou=org,dc=my,dc=alias,dc=com In other words, any reference in my client to: dc=my,dc=alias,dc=com would resolve in the ldap database to: dc=my,dc=example,dc=com Is there a way to do this? If so, where can I locate these instructions? Thanks! -ron -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com

7 33

alock package is unstable
by Dieter Kluenter 12 Sep '07

12 Sep '07

Hi, OpenLDAP-2.4.5beta SuSE-10.2 db-4.4.20 glibc-2.5.25 trying to run slapd an error occurs backend_startup_one: starting "o=avci,c=de" bdb_db_open: o=avci,c=de bdb_db_open: alock package is unstable backend_startup_one: bi_db_open failed!(-1) slapd shutdown: initiated Now, what would be a stable alock package? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

3 3

syncrepl sizelimit exeeded
by Dieter Kluenter 12 Sep '07

12 Sep '07

Hi, I am testing 2.4.5beta syncrepl on 2 identical SuSE-10.2 vmware slices. On both engines sizelimit is set to unlimited. While on the provider side no sizelimit restrictions are announced, that is, all entries above "cn=test0394,ou=benchmark,o=avci,c=de" are allowed to read, on the consumer side I get a Size limit exceeded after cn=test0394,ou=benchmark,o=avci,c=de, but further search requests of the consumer are performed. Are there any syncrepl consumer size limits, which I am not aware of? ,----[ sync provider log ] | magenta slapd[7228]: => acl_mask: access to entry "cn=test0395,ou=benchmark,o=avci,c=de", attr "objectClass" requested | magenta slapd[7228]: => acl_mask: to all values by "cn=replicator,o=avci,c=de", (=0) | magenta slapd[7228]: <= check a_dn_pat: cn=benchmark,o=avci,c=de | magenta slapd[7228]: <= check a_dn_pat: users | magenta slapd[7228]: <= acl_mask: [2] applying read(=rscxd) (stop) | magenta slapd[7228]: <= acl_mask: [2] mask: read(=rscxd) | magenta slapd[7228]: => slap_access_allowed: search access granted by read(=rscxd) | magenta slapd[7228]: => access_allowed: search access granted by read(=rscxd) `---- ,----[ sync consumer log ] | vmware slapd[31608]: syncrepl_entry: rid=2 cn=test0394,ou=benchmark,o=avci,c=de | vmware slapd[31608]: syncrepl_entry: rid=2 entry unchanged, ignored (cn=test0394,ou=benchmark,o=avci,c=de) | vmware slapd[31608]: do_syncrep2: rid=2 LDAP_RES_SEARCH_RESULT | vmware slapd[31608]: do_syncrep2: rid=2 (4) Size limit exceeded | vmware slapd[31608]: do_syncrepl: rid 002 retrying (4 retries left) `---- -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

Startup time
by Sumith Narayanan 11 Sep '07

11 Sep '07

Hello, We have a openldap 2.3.27 database with 42 GB of total data size . The server is running with 32 bit processor and it crashes once in 2-3 days.. As a work around for now , we are restarting the slapd process using cron job. But the restart takes 45 min to 1 hour time and sometimes more than that. Is there any way to bring up the server fast ? It is taking time to cache data before it start ? Thanks, Sumith.

7 6

RES: RES: ldapsearch and accented names
by Luis Fernando C. Talora 11 Sep '07

11 Sep '07

I see, now... Thanks a lot! Best regards, Luís Talora -----Mensagem original----- De: Pierangelo Masarati [mailto:ando@sys-net.it] Enviada em: segunda-feira, 10 de setembro de 2007 17:48 Para: Luís Fernando C. Talora Cc: OpenLDAP Software List Assunto: Re: RES: ldapsearch and accented names Please reply on the list Luis Fernando C. Talora wrote: > Thank you, Mr. Pierangelo! I new that it would be a way to make that "readble", but I had no idea how to do it. > > I´m using it on a script. Do you know a way to find out when the string returned is encoded in base64 or not? When the attribute is base64 encoded, the value is separated from the name by "::", as clearly indicated in RFC 2849. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it --------------------------------------- -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software September 2007