Berkeley DB, What's the recommended version?
by Diego Woitasen
Hi,
I need to compile the lastest OpenLDAP version and I want to know what's
the recommended version of BDB, if there is any. The latest BDB is
4.6.21, but I want to hear some experiences.
regards...
diegows
--
Diego Woitasen
XTECH - Soluciones Linux para empresas
(54) 011 5219-0678
15 years, 10 months
Options of OpenLDAP 2.3.3x configure
by openldap.lists@frei-family.ch
Hi all,
this is maybe a silly newbie question and I do apologize if so.
Im digging through the options of OpenLDAP 2.3.3x configure and so far
I basically found the output of "configure --help" as the only
information available. I also browsed through the Admin Guide,
Faq-O-Matic and googled but only seemed to find the same help output
over and over.
What I'm after is a description of the effects which is more
comprehensive than the help of configure, i.e. what are the
consequences if I enable/disable a certain option.
Especially I'm interested in knowing about the effects of the options
--disable-cleartext
--disable-spasswd
--disable-passwd
Can anyone provide a pointer to such information ?
Thanks
CF
15 years, 10 months
DDS incompatible with shadow
by Dieter Kluenter
Hi,
if have just setup a provider with 2.4.7 and a consumer with 2.4.7,
db4.5. The provider is running, when starting the empty consumer I get
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
backend_startup_one: starting "o=avci,c=de"
hdb_db_open: "o=avci,c=de"
hdb_db_open: database "o=avci,c=de": dbenv_open(/opt/openldap/var/openldap-data/).
DDS incompatible with shadow database "o=avci,c=de".
backend_startup_one: bi_db_open failed! (1)
slapd shutdown: initiated
====> bdb_cache_release_all
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
what is DDS?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 10 months
syncrepl with x509 certificates
by Alex Samad
Hi
I am trying to build a network of ldap nodes sync with syncrepl using x509
certificates.
I ran into a problem when I setup the first slace node, I create a certificate
that did not have SSL Client purpose, but did have SSL Server purpose - I am
presuming it is this, because 2 certificates made exactly the same way, 1 fails
- the non SSL Client and the other works the one that has the SSL Client
purpose.
I am presuming that I need both purposes SSL Server and SSL Client - the former
to allow ldaps usage and the later for making ldap request and being a client
in a syncrepl scenario.
Is there
a) a way to specify another certificate to use in the syncrepl config
b) a way to not check for the SSL Client purpose in the certificate
For now I am going to create on that has both purposes ...
Alex
--
"As you can possibly see, I have an injury myself�not here at the hospital, but in combat with a cedar. I eventually won. The cedar gave me a little scratch."
- George W. Bush
01/01/2006
San Antonio, TX
After visiting with wounded veterans from the Amputee Care Center of Brooke Army Medical Center
15 years, 10 months
Need support to install OpenLDAP on Solaris 10 without BDB/HDB
by Dovecot Jami
Hi,
I failed to install OpenLDAP on my Solaris 10 due to BDB/HDB dependencies. I have installed BarkleyDB 4.5 at /usr/local/BarkleyDB4.5/.
I want to install OpenLDAP without BDB/HDB on my Solaris 10.
Pls help me.
Rgds,
JAMI
---------------------------------
Never miss a thing. Make Yahoo your homepage.
15 years, 10 months
OpenLDAP/SASL working only with unhashed passwords
by Daniel Qarras
Hi all,
after spending several days fighting with OpenLDAP2.3/SASL setup I'm
finally at point where both sample-client/server and ldapwhoami work
for a user who's got his password stored in cleartext in LDAP's
userPassword field. I'm using TLS and both PLAIN and DIGEST-MD5 work.
However, for a user with his password stored as SSHA has in LDAP's
userPassword neither of those work.
It seems that DIGEST-MD5 can only work if both sides have access to the
cleartext password, right? Thus, it was expected that DIGEST-MD5 can't
work.
But I'm out of clues with PLAIN (over TLS, using a self-signed
certificate) as why it doesn't work for a user who's password is in
SSHA. The users are testusers I entered, the ldif file used was 1:1,
only the uids and passwords were different. I am still missing some
basic principle of SASL or what's going on here?
The reason I'm writing to the OpenLDAP mailing list is that with the
user failing to authenticate slapd is logging errors that are not
present with the ok'd user.
ldapwhoami says:
root@localhost:~# ldapwhoami -U qwe -Y PLAIN -ZZ
SASL/PLAIN authentication started
Please enter your password:
SASL username: qwe
SASL SSF: 0
dn:uid=qwe,ou=people,dc=intra
Result: Success (0)
root@localhost:~# ldapwhoami -U dq -Y PLAIN -ZZ
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password
verification failed
root@localhost:~#
And the server says in the latter case:
do_sasl_bind: dn () mech PLAIN
==> sasl_bind: dn="" mech=PLAIN datalen=6
SASL Canonicalize [conn=1]: authcid="dq"
slap_sasl_getdn: conn 1 id=dq [len=2]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0
<<< dnNormalize: <uid=dq,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth
slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra
slap_parseURI: parsing uid=dq,ou=People,dc=intra
ldap_url_parse_ext(uid=dq,ou=People,dc=intra)
>>> dnNormalize: <uid=dq,ou=People,dc=intra>
=> ldap_bv2dn(uid=dq,ou=People,dc=intra,0)
<= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0
<<< dnNormalize: <uid=dq,ou=people,dc=intra>
<==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra
slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra
SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra"
SASL Canonicalize [conn=1]: authcid="dq"
slap_sasl_getdn: conn 1 id=dq [len=2]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0
<<< dnNormalize: <uid=dq,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth
slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra
slap_parseURI: parsing uid=dq,ou=People,dc=intra
ldap_url_parse_ext(uid=dq,ou=People,dc=intra)
>>> dnNormalize: <uid=dq,ou=People,dc=intra>
=> ldap_bv2dn(uid=dq,ou=People,dc=intra,0)
<= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0
<<< dnNormalize: <uid=dq,ou=people,dc=intra>
<==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra
slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra
SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra"
=> bdb_search
bdb_dn2entry("uid=dq,ou=people,dc=intra")
=> bdb_dn2id("uid=dq,ou=people,dc=intra")
<= bdb_dn2id: got id=0x0000007b
entry_decode: "uid=dq,ou=People,dc=intra"
<= entry_decode(uid=dq,ou=People,dc=intra)
base_candidates: base: "uid=dq,ou=people,dc=intra" (0x0000007b)
=> test_filter
PRESENT
=> access_allowed: auth access to "uid=dq,ou=People,dc=intra"
"objectClass" requested
=> acl_get: [2] attr objectClass
=> acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr
"objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: auth access granted by read(=rscxd)
<= test_filter 6
=> access_allowed: auth access to "uid=dq,ou=People,dc=intra"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr
"userPassword" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: *
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=0 matched="" text=""
SASL [conn=1] Failure: Password verification failed
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): user not found:
Password verification failed"
send_ldap_response: msgid=2 tag=97 err=49
So why I'm seeing "str2ad(cmusaslsecretPLAIN): attribute type
undefined" with a user who's password is stored as SSHA?
Any hints would be highly appreciated, I've really read the docs,
experimented with different configs, and slow I've been stumbling along
but this seems to be just too hard to grok.
Thanks!
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
15 years, 10 months
LDAP config problem with GSSAPI: No such file or directory
by Listbox
Hi folks,
I'm having a real hard time debugging this.
I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7
box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was
a read problem with the keytab files, but I tried setting KRB5_KTNAME to a
keytab file I knew ware readable by slapd, and that did not help. I clso
check permissions on my certificates, and that seems OK too. ldapsearch -x
does work, but ldapsearch -Y GSSAPI does not.
Any help would be greatly appreciated :)
*******************************************
*******************************************
[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3
.34/openldap-2.3.34/build-clients/clients/tools
(LDAP library: OpenLDAP 20333)
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (No such file or directory)
*******************************************
*******************************************
[installer@trixter ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: installer(a)HYMESRUZICKA.ORG
Valid starting Expires Service principal
01/15/08 13:11:43 01/16/08 13:11:43
krbtgt/HYMESRUZICKA.ORG(a)HYMESRUZICKA.ORG
01/15/08 13:12:35 01/16/08 13:11:43
ldap/trixter.hymesruzicka.org(a)HYMESRUZICKA.ORG
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
*******************************************
*******************************************
[installer@trixter ~]$ cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# This file should be world readable but not world writable.
BASE dc=hymesruzicka,dc=org
URI ldap://trixter.hymesruzicka.org:11562
ldaps://trixter.hymesruzicka.org:636
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#SIZELIMIT 12
TIMELIMIT 5
#DEREF never
*******************************************
*******************************************
*******************************************
*******************************************
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not
show which resource is not accessable. Actually I'm surprized that strace
does no show any attempts to open the keytabs or anything in
/etc/openldap/cacerts...
Thanks!
Listbox
15 years, 10 months
dynlist how to
by Guy Deleeuw
Hello all
I run openldap on a debian box :
root@nova:LdapDeb# slapd -V
@(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 09:54:28) $
buildd@caballero:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd
root@nova:LdapDeb#
I use the dynlist overlay configurated in slapd.conf like this :
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
The ldif entry :
dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be
objectClass: groupOfURLs
cn: dynUsers
ou: dynUsers
memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(uid=*)
The search does not expand each member: cn=...
root@nova:LdapDeb# ldapsearch -x -LLL -b
"ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s
base "memberURL=*"
dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be
objectClass: groupOfURLs
cn: dynUsers
ou: dynUsers
memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(mail=*)
If I replace 'dn' by uid all work fine :
root@nova:LdapDeb# ldapsearch -x -LLL -b
"ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s
base "memberURL=*"
dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be
objectClass: groupOfURLs
cn: dynUsers
ou: dynUsers
memberURL: ldap:///br=Internal,o=Eurofer,c=be?uid?sub?(mail=*)
uid: dominique
uid: freddy
uid: valerie
...
What is missing in my config ? it is not permitted to return the dn ?
Thanks in advance for your help
Guy
15 years, 10 months
2 or more filters | syntax
by A Molchanov
Hi,
situation: its need to synchronize 2 servers with 2 or more different filters or searchbases, like:
-----
searchbase="(ou=111...dc=org),(ou=222...dc=org)",
or
filter="(ou=111),(ou=222)"
---
is correct syntax? would it works??
15 years, 10 months
openldap becomes unresponsive
by Daniel Buttigieg
Hi,
We are running the standard openldap-2.2.13 and Berkeley DB 4.2.52
packages on a RHEL 4 server.
Every few weeks, the LDAP service will stop responding to queries,
updates etc. The service is still running etc. but it never responds to
requests.
The only way to resolve the issue is to stop ldap, run db_recover and
then start it again. This is in our test environment (it has happened 4
times recently) but we are looking to go into production soon.
Has anyone experience similar issues on RHEL 4 or have any idea how to
prevent this from occurring?
There wasn't anything of note in the logs before the service stopped
responding (loglevel 256).
I restarted the service (without running db_recover) with loglevel -1.
Still had the same unresponsive service, but noticed this in the logs.
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on 1 descriptors
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: new connection on 9
Jan 15 12:01:51 linuxtest3 slapd[18755]: conn=0 fd=9 ACCEPT from
IP=136.186.226.57:43999 (IP=0.0.0.0:389)
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: added 9r
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on:
Jan 15 12:01:51 linuxtest3 slapd[18755]:
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on 1 descriptors
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on:
Jan 15 12:01:51 linuxtest3 slapd[18755]: 9r
Jan 15 12:01:51 linuxtest3 slapd[18755]:
Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: read activity on 9
Jan 15 12:01:51 linuxtest3 slapd[18755]: connection_get(9)
Jan 15 12:01:51 linuxtest3 slapd[18755]: connection_get(9): got connid=0
Jan 15 12:01:52 linuxtest3 slapd[18755]: connection_read(9): checking
for input on id=0
Jan 15 12:01:52 linuxtest3 slapd[18755]: ber_get_next on fd 9 failed
errno=11 (Resource temporarily unavailable)
Jan 15 12:01:52 linuxtest3 slapd[18755]: do_bind
Jan 15 12:01:52 linuxtest3 slapd[18755]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jan 15 12:01:52 linuxtest3 slapd[18755]: >>> dnPrettyNormal:
<cn=bob,dc=swin,dc=edu,dc=au>
Jan 15 12:01:52 linuxtest3 slapd[18755]: <<< dnPrettyNormal:
<cn=bob,dc=swin,dc=edu,dc=au>, <cn=bob,dc=swin,dc=edu,dc=
au>
Jan 15 12:01:52 linuxtest3 slapd[18755]: do_bind: version=3
dn="cn=bob,dc=swin,dc=edu,dc=au" method=128
Jan 15 12:01:52 linuxtest3 slapd[18755]: conn=0 op=0 BIND
dn="cn=bob,dc=swin,dc=edu,dc=au" method=128
Jan 15 12:01:52 linuxtest3 slapd[18755]: ==> bdb_bind: dn:
cn=bob,dc=swin,dc=edu,dc=au
Jan 15 12:01:52 linuxtest3 slapd[18755]:
bdb_dn2entry("cn=bob,dc=swin,dc=edu,dc=au")
Jan 15 12:01:52 linuxtest3 slapd[18755]: => bdb_dn2id(
"dc=swin,dc=edu,dc=au" )
Jan 15 12:01:52 linuxtest3 slapd[18755]: <= bdb_dn2id: got id=0x00000006
Jan 15 12:01:52 linuxtest3 slapd[18755]: => bdb_dn2id(
"cn=bob,dc=swin,dc=edu,dc=au" )
Jan 15 12:01:52 linuxtest3 slapd[18755]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-3099
0)
thanks,
Daniel
--
Daniel Buttigieg
Information Technology Services
Swinburne University of Technology
15 years, 10 months