openldap-software January 2008

openldap-software@openldap.org

78 participants
79 discussions

Berkeley DB, What's the recommended version?
by Diego Woitasen 22 Jan '08

22 Jan '08

Hi, I need to compile the lastest OpenLDAP version and I want to know what's the recommended version of BDB, if there is any. The latest BDB is 4.6.21, but I want to hear some experiences. regards... diegows -- Diego Woitasen XTECH - Soluciones Linux para empresas (54) 011 5219-0678

4 6

Options of OpenLDAP 2.3.3x configure
by openldap.lists＠frei-family.ch 22 Jan '08

22 Jan '08

Hi all, this is maybe a silly newbie question and I do apologize if so. Im digging through the options of OpenLDAP 2.3.3x configure and so far I basically found the output of "configure --help" as the only information available. I also browsed through the Admin Guide, Faq-O-Matic and googled but only seemed to find the same help output over and over. What I'm after is a description of the effects which is more comprehensive than the help of configure, i.e. what are the consequences if I enable/disable a certain option. Especially I'm interested in knowing about the effects of the options --disable-cleartext --disable-spasswd --disable-passwd Can anyone provide a pointer to such information ? Thanks CF

2 1

DDS incompatible with shadow
by Dieter Kluenter 22 Jan '08

22 Jan '08

Hi, if have just setup a provider with 2.4.7 and a consumer with 2.4.7, db4.5. The provider is running, when starting the empty consumer I get slapd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open backend_startup_one: starting "o=avci,c=de" hdb_db_open: "o=avci,c=de" hdb_db_open: database "o=avci,c=de": dbenv_open(/opt/openldap/var/openldap-data/). DDS incompatible with shadow database "o=avci,c=de". backend_startup_one: bi_db_open failed! (1) slapd shutdown: initiated ====> bdb_cache_release_all ====> bdb_cache_release_all slapd destroy: freeing system resources. slapd stopped. what is DDS? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

4 3

syncrepl with x509 certificates
by Alex Samad 21 Jan '08

21 Jan '08

Hi I am trying to build a network of ldap nodes sync with syncrepl using x509 certificates. I ran into a problem when I setup the first slace node, I create a certificate that did not have SSL Client purpose, but did have SSL Server purpose - I am presuming it is this, because 2 certificates made exactly the same way, 1 fails - the non SSL Client and the other works the one that has the SSL Client purpose. I am presuming that I need both purposes SSL Server and SSL Client - the former to allow ldaps usage and the later for making ldap request and being a client in a syncrepl scenario. Is there a) a way to specify another certificate to use in the syncrepl config b) a way to not check for the SSL Client purpose in the certificate For now I am going to create on that has both purposes ... Alex -- "As you can possibly see, I have an injury myself�not here at the hospital, but in combat with a cedar. I eventually won. The cedar gave me a little scratch." - George W. Bush 01/01/2006 San Antonio, TX After visiting with wounded veterans from the Amputee Care Center of Brooke Army Medical Center

5 10

Need support to install OpenLDAP on Solaris 10 without BDB/HDB
by Dovecot Jami 17 Jan '08

17 Jan '08

Hi, I failed to install OpenLDAP on my Solaris 10 due to BDB/HDB dependencies. I have installed BarkleyDB 4.5 at /usr/local/BarkleyDB4.5/. I want to install OpenLDAP without BDB/HDB on my Solaris 10. Pls help me. Rgds, JAMI --------------------------------- Never miss a thing. Make Yahoo your homepage.

3 2

OpenLDAP/SASL working only with unhashed passwords
by Daniel Qarras 17 Jan '08

17 Jan '08

Hi all, after spending several days fighting with OpenLDAP2.3/SASL setup I'm finally at point where both sample-client/server and ldapwhoami work for a user who's got his password stored in cleartext in LDAP's userPassword field. I'm using TLS and both PLAIN and DIGEST-MD5 work. However, for a user with his password stored as SSHA has in LDAP's userPassword neither of those work. It seems that DIGEST-MD5 can only work if both sides have access to the cleartext password, right? Thus, it was expected that DIGEST-MD5 can't work. But I'm out of clues with PLAIN (over TLS, using a self-signed certificate) as why it doesn't work for a user who's password is in SSHA. The users are testusers I entered, the ldif file used was 1:1, only the uids and passwords were different. I am still missing some basic principle of SASL or what's going on here? The reason I'm writing to the OpenLDAP mailing list is that with the user failing to authenticate slapd is logging errors that are not present with the ok'd user. ldapwhoami says: root@localhost:~# ldapwhoami -U qwe -Y PLAIN -ZZ SASL/PLAIN authentication started Please enter your password: SASL username: qwe SASL SSF: 0 dn:uid=qwe,ou=people,dc=intra Result: Success (0) root@localhost:~# ldapwhoami -U dq -Y PLAIN -ZZ SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed root@localhost:~# And the server says in the latter case: do_sasl_bind: dn () mech PLAIN ==> sasl_bind: dn="" mech=PLAIN datalen=6 SASL Canonicalize [conn=1]: authcid="dq" slap_sasl_getdn: conn 1 id=dq [len=2] => ldap_dn2bv(16) <= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth >>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0 <<< dnNormalize: <uid=dq,cn=plain,cn=auth> ==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra slap_parseURI: parsing uid=dq,ou=People,dc=intra ldap_url_parse_ext(uid=dq,ou=People,dc=intra) >>> dnNormalize: <uid=dq,ou=People,dc=intra> => ldap_bv2dn(uid=dq,ou=People,dc=intra,0) <= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0 <<< dnNormalize: <uid=dq,ou=people,dc=intra> <==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra" SASL Canonicalize [conn=1]: authcid="dq" slap_sasl_getdn: conn 1 id=dq [len=2] => ldap_dn2bv(16) <= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth >>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0 <<< dnNormalize: <uid=dq,cn=plain,cn=auth> ==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra slap_parseURI: parsing uid=dq,ou=People,dc=intra ldap_url_parse_ext(uid=dq,ou=People,dc=intra) >>> dnNormalize: <uid=dq,ou=People,dc=intra> => ldap_bv2dn(uid=dq,ou=People,dc=intra,0) <= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0 <<< dnNormalize: <uid=dq,ou=people,dc=intra> <==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra" => bdb_search bdb_dn2entry("uid=dq,ou=people,dc=intra") => bdb_dn2id("uid=dq,ou=people,dc=intra") <= bdb_dn2id: got id=0x0000007b entry_decode: "uid=dq,ou=People,dc=intra" <= entry_decode(uid=dq,ou=People,dc=intra) base_candidates: base: "uid=dq,ou=people,dc=intra" (0x0000007b) => test_filter PRESENT => access_allowed: auth access to "uid=dq,ou=People,dc=intra" "objectClass" requested => acl_get: [2] attr objectClass => acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr "objectClass" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: auth access granted by read(=rscxd) <= test_filter 6 => access_allowed: auth access to "uid=dq,ou=People,dc=intra" "userPassword" requested => acl_get: [1] attr userPassword => acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr "userPassword" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: self <= check a_dn_pat: * <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => access_allowed: auth access granted by auth(=xd) slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined send_ldap_result: conn=1 op=1 p=3 send_ldap_result: err=0 matched="" text="" SASL [conn=1] Failure: Password verification failed send_ldap_result: conn=1 op=1 p=3 send_ldap_result: err=49 matched="" text="SASL(-13): user not found: Password verification failed" send_ldap_response: msgid=2 tag=97 err=49 So why I'm seeing "str2ad(cmusaslsecretPLAIN): attribute type undefined" with a user who's password is stored as SSHA? Any hints would be highly appreciated, I've really read the docs, experimented with different configs, and slow I've been stumbling along but this seems to be just too hard to grok. Thanks! ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

3 3

LDAP config problem with GSSAPI: No such file or directory
by Listbox 17 Jan '08

17 Jan '08

Hi folks, I'm having a real hard time debugging this. I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I clso check permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. Any help would be greatly appreciated :) ******************************************* ******************************************* [installer@trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) ******************************************* ******************************************* [installer@trixter ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: installer(a)HYMESRUZICKA.ORG Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG(a)HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org(a)HYMESRUZICKA.ORG Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached ******************************************* ******************************************* [installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never ******************************************* ******************************************* ******************************************* ******************************************* I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessable. Actually I'm surprized that strace does no show any attempts to open the keytabs or anything in /etc/openldap/cacerts... Thanks! Listbox

3 3

dynlist how to
by Guy Deleeuw 16 Jan '08

16 Jan '08

Hello all I run openldap on a debian box : root@nova:LdapDeb# slapd -V @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 09:54:28) $ buildd@caballero:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd root@nova:LdapDeb# I use the dynlist overlay configurated in slapd.conf like this : overlay dynlist dynlist-attrset groupOfURLs memberURL member The ldif entry : dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(uid=*) The search does not expand each member: cn=... root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(mail=*) If I replace 'dn' by uid all work fine : root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?uid?sub?(mail=*) uid: dominique uid: freddy uid: valerie ... What is missing in my config ? it is not permitted to return the dn ? Thanks in advance for your help Guy

3 11

2 or more filters | syntax
by A Molchanov 16 Jan '08

16 Jan '08

Hi, situation: its need to synchronize 2 servers with 2 or more different filters or searchbases, like: ----- searchbase="(ou=111...dc=org),(ou=222...dc=org)", or filter="(ou=111),(ou=222)" --- is correct syntax? would it works??

4 3

openldap becomes unresponsive
by Daniel Buttigieg 16 Jan '08

16 Jan '08

Hi, We are running the standard openldap-2.2.13 and Berkeley DB 4.2.52 packages on a RHEL 4 server. Every few weeks, the LDAP service will stop responding to queries, updates etc. The service is still running etc. but it never responds to requests. The only way to resolve the issue is to stop ldap, run db_recover and then start it again. This is in our test environment (it has happened 4 times recently) but we are looking to go into production soon. Has anyone experience similar issues on RHEL 4 or have any idea how to prevent this from occurring? There wasn't anything of note in the logs before the service stopped responding (loglevel 256). I restarted the service (without running db_recover) with loglevel -1. Still had the same unresponsive service, but noticed this in the logs. Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on 1 descriptors Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: new connection on 9 Jan 15 12:01:51 linuxtest3 slapd[18755]: conn=0 fd=9 ACCEPT from IP=136.186.226.57:43999 (IP=0.0.0.0:389) Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: added 9r Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on: Jan 15 12:01:51 linuxtest3 slapd[18755]: Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: select: listen=6 active_threads=0 tvp=NULL Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on 1 descriptors Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: activity on: Jan 15 12:01:51 linuxtest3 slapd[18755]: 9r Jan 15 12:01:51 linuxtest3 slapd[18755]: Jan 15 12:01:51 linuxtest3 slapd[18755]: daemon: read activity on 9 Jan 15 12:01:51 linuxtest3 slapd[18755]: connection_get(9) Jan 15 12:01:51 linuxtest3 slapd[18755]: connection_get(9): got connid=0 Jan 15 12:01:52 linuxtest3 slapd[18755]: connection_read(9): checking for input on id=0 Jan 15 12:01:52 linuxtest3 slapd[18755]: ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable) Jan 15 12:01:52 linuxtest3 slapd[18755]: do_bind Jan 15 12:01:52 linuxtest3 slapd[18755]: daemon: select: listen=6 active_threads=0 tvp=NULL Jan 15 12:01:52 linuxtest3 slapd[18755]: >>> dnPrettyNormal: <cn=bob,dc=swin,dc=edu,dc=au> Jan 15 12:01:52 linuxtest3 slapd[18755]: <<< dnPrettyNormal: <cn=bob,dc=swin,dc=edu,dc=au>, <cn=bob,dc=swin,dc=edu,dc= au> Jan 15 12:01:52 linuxtest3 slapd[18755]: do_bind: version=3 dn="cn=bob,dc=swin,dc=edu,dc=au" method=128 Jan 15 12:01:52 linuxtest3 slapd[18755]: conn=0 op=0 BIND dn="cn=bob,dc=swin,dc=edu,dc=au" method=128 Jan 15 12:01:52 linuxtest3 slapd[18755]: ==> bdb_bind: dn: cn=bob,dc=swin,dc=edu,dc=au Jan 15 12:01:52 linuxtest3 slapd[18755]: bdb_dn2entry("cn=bob,dc=swin,dc=edu,dc=au") Jan 15 12:01:52 linuxtest3 slapd[18755]: => bdb_dn2id( "dc=swin,dc=edu,dc=au" ) Jan 15 12:01:52 linuxtest3 slapd[18755]: <= bdb_dn2id: got id=0x00000006 Jan 15 12:01:52 linuxtest3 slapd[18755]: => bdb_dn2id( "cn=bob,dc=swin,dc=edu,dc=au" ) Jan 15 12:01:52 linuxtest3 slapd[18755]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-3099 0) thanks, Daniel -- Daniel Buttigieg Information Technology Services Swinburne University of Technology

4 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2008