openldap-software January 2008

openldap-software@openldap.org

78 participants
79 discussions

Resolving aliasedobjectname(s)
by Dave Lewney 28 Jan '08

28 Jan '08

Faq #1111 states that given ... dn: uid=alias,ou=People,dc=example,dc=net objectclass: alias objectclass: extensibleObject uid: alias aliasedobjectname: uid=target,ou=Retired People,dc=example,dc=com ... then ldapsearch -x -a always -b uid=alias,ou=People,dc=example,dc=net 'objectclass=*' will return results from the "target" DN. Should the same results be expected from searching with ... ldapsearch -x -a always -b ou=People,dc=example,dc=net uid=alias ... assuming uid was indexed for equality. Dave --- Dave Lewney IT Services, University of Sussex, Brighton BN1 9QT

3 5

meaning of timeout value in ldap_search_ext
by Kenneth Rogers 28 Jan '08

28 Jan '08

Hello, The man page for ldap_search_ext doesn't specify how the timeout value is used. There are external sources that say it defines a timeout both for the client and the server. Is that accurate? KR -- ""If we knew what we were doing, it wouldn't be called research, would it?" --Albert Einstein

2 1

MirrorMode behind fail over loadbalancer
by Diaa Radwan 28 Jan '08

28 Jan '08

We have two openldap 2.4.7 , configured as MirrorMode, We are planning to add load balancer in front of both servers into the production environment, We don't want too go through conflicts issues as it was stated before as messy process. --------- --------- . . . . . Srv1 . . Srv2 . --------- --------- \ / ---- ------------ . LoadB . .-------. As per my understanding, the load balancer(failover mode) is redirecting all traffic to the active server(srv1); if the active server went down the traffic will be redirected to stand-by server(srv2). When srv1 goes online again the load balancer will redirect all trafic to srv1, while srv1 is in progress to get synced with srv2. The load balancer will not consider the sync process; it will just redirect the traffic. it was previously stated on the mailing list that there should be one write at a time. is there any conflict will occur when server getting bulk syncing and receiving updates(attribute level)/add requests as well? What happen if there attribute-level conflict? how to avoid it? suggestions are highly welcomed. -- Diaa Radwan

6 7

Create NextFreeUnixId.ldif in LDAP
by Rodrigo Tavares 27 Jan '08

27 Jan '08

Hello, When I try to write in LDAP come this error : weekend:~# ldapadd -x -h ldap -D "cn=admin,dc=homework" -f NextFreeUnixId.ldif -W Enter LDAP Password: adding new entry "cn=NextFreeUnixId,ou=System,dc=homework" ldap_add: Internal (implementation specific) error (80) additional info: index generation failed How I can to resolve it ? Best regards, Faria #the file dn: cn=NextFreeUnixId,ou=System,dc=homework objectClass: inetOrgPerson objectClass: sambaUnixIdPool uidNumber: 10000 gidNumber: 10000 cn: NextFreeUnixId sn: NextFreeUnixId Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/

2 1

multi-valued attribute suddenly become comma-separated
by Alexander Bruckner 25 Jan '08

25 Jan '08

Hi, Installed version: OpenLDAP: slapd 2.3.30 My problem is that multi-valued attributes become single-valued attribtues with the values as comma separated list without any observable reason. An entry should look like this (as it is entered into the directory): ... mail: testing1(a)test.com mail: testing2(a)test.com After a while the entry suddenly looks like this: mail: testing1(a)test.com, testing2(a)test.com Does anybody know, what the reason of this behaviour could be? I cannot find any cron-jobs modifying the ldap-directory, or any application with write-permission. The modification seems to happen accidentally. Thanks in advance, Alex Bruckner

4 4

ldappasswd error
by Adam Williams 24 Jan '08

24 Jan '08

Running openldap 2.3.39. When I run ldappasswd, I get the following error: [root@roark named]# ldappasswd SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 195) but slappasswd is ok: [root@roark named]# slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx any ideas? Google search didn't really turn up anything.

2 1

ldapadd: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax
by Adam Williams 24 Jan '08

24 Jan '08

I'm following the quick start guide. I'm running openldap 2.3.39. I have my my main.ldif as: dn: dc=mdah,dc=state,dc=ms,dc=us objectclass: dcObject objectclass: organization o: Mississippi Department of Archives and History dc: mdah dn: cn=Manager,dc=mdah,dc=state,dc=ms,dc=us objectclass: organzationalRole cn: Manager but when I load it, I get the error: ldapadd -x -D "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -W -f main.ldif Enter LDAP Password: adding new entry "dc=mdah,dc=state,dc=ms,dc=us" adding new entry "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" ldapadd: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax a google search says that is usually because of trailing characters, but I checked it in vi, and there are no trailing characters. Any suggestions? my slapd.conf is: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid database bdb suffix "dc=mdah,dc=state,dc=ms,dc=us" rootdn "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx directory /var/lib/ldap index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID sub,eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default pres,eq,sub access to dn.base="" by self write by * auth access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to attrs=shadowLastChange by self write by * auth access to * by self write by * read and my ldap.conf is: BASE dc=mdah,dc=state,dc=ms,dc=us TLS_REQCERT allow URI ldap://roark.mdah.state.ms.us/ TLS_CACERTDIR /etc/openldap/cacerts and slapd is running: ps ax|grep slap 13743 ? Ssl 0:00 /usr/sbin/slapd -h ldap:/// -u ldap

2 2

Upgrading Blues
by Sn!per 24 Jan '08

24 Jan '08

Am currently using openLDAP version 2.3.35 along with Berkeley DB version 4.5.20. I noticed that openLDAP is now currently at 2.3.39 and Berkeley DB at 4.6.21. I used openLDAP for my qmail-ldap and am wondering if it would be advisable for me to upgrade. If the answer is yes, then which version of Berkeley DB should I use with 2.3.39 as I read somewhere that there are some incompatibiliites issues? Please advise and thank you in advance. -- roger --------------------------------------------------- Sign Up for free Email at http://ureg.home.net.my/ ---------------------------------------------------

1 0

matching one character of a caseIgnoreIA5Match attribute
by Alexander 'Leo' Bergolth 22 Jan '08

22 Jan '08

Hi! I'm trying to filter entries that have the 'D' flag set in the sambaAcctFlags attribute: attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) However, this attribute doesn't have a substring match rule, and normal substring filters don't seem to work. I don't know if that's possible on principle, but maybe an extensible search filter with a special matching rule can be used to accomplish this task? I've tried it with "(sambaAcctFlags:caseIgnoreSubstringsMatch:=*D*)" but substring filters are not allowed in extensible filters. Any hints? Thanks in advance, --leo -- e-mail ::: Leo.Bergolth (at) wu-wien.ac.at fax ::: +43-1-31336-906050 location ::: Computer Center | Vienna University of Economics | Austria

2 1

2.3.35 -> 2.4.7 replication: null_callback : error code 0x10
by Dave Horsfall 22 Jan '08

22 Jan '08

Testing interoperability between 2.3.35 and 2.4.7. Consumer is 2.4.7, provider is 2.3.35. I get messages in the 2.4.7 log that look like this: Jan 15 13:07:47 mippet slapd[13134]: null_callback : error code 0x10 Jan 15 13:07:47 mippet slapd[13134]: syncrepl_updateCookie: rid=002 be_modify failed (16) Jan 15 13:07:47 mippet slapd[13134]: do_syncrepl: rid=002 retrying (4 retries left) Jan 15 13:07:52 mippet slapd[13134]: null_callback : error code 0x10 Jan 15 13:07:52 mippet slapd[13134]: syncrepl_updateCookie: rid=002 be_modify failed (16) Seems to be related to adding/changing/deleting on the provider, although the changes do propagate. Is this fixed by 2.3.40, or is it a separate issue in 2.4.7? -- Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

3 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2008