openldap-software January 2008

openldap-software@openldap.org

78 participants
79 discussions

Re: Re: ACL problem, restrict access to several attributes
by mheinric＠imn.htwk-leipzig.de 16 Jan '08

16 Jan '08

>>mheinric(a)imn.htwk-leipzig.de wrote: >> Hi >> >> im trying to get an openldap server (2.3.) running with acl restricting access to special attributes >> >> tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid... >> >> so i added this access rule to my slapd.conf : >> >> access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName >> by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read > >If you don't allow access to the "entry" attribute somewhere else, that's why it >doesn't work: > >(Quoting Adminguide23, 6.3.1) >"To read (and hence return) a target entry, the subject must have read access to >the target's entry attribute." > >bye >Christian >-- >Christian Marg mail : mailto:marg@rz.tu-clausthal.de >Dezernat 2 TU Clausthal web : http://www.tu-clausthal.de >D-38678 Clausthal-Zellerfeld fon : 05323/72-2107 >Germany jabber: ifcma(a)jabber.tu-clausthal.de thanks, i added "entry" and "objectClass" to the "attrs" and searching works fine too ___________________________________ NOCC, http://nocc.sourceforge.net

1 0

N-Way Multi-Master when one server down
by Chris G. Sellers 16 Jan '08

16 Jan '08

I'm noticing that with N-Way Multi-master servers, if one server is down or crashed, the updates don't always get to this server once it's back up. (e..g updates are not queued and when the connection re- establishes it does not flush out that queue) Do I understand this to be correct? Can you adjust the retry time settings to help mitigate this? Thanks Sellers ______________________________________________ Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers(a)nitle.org AIM: imthewherd | GTalk: cgseller(a)gmail.com

3 2

no timeout and proxy still contacting server
by Nathan Morrow 15 Jan '08

15 Jan '08

Sorry I haven't gotten an answer on how to respond to threads while receiving daily digests of this forum, but her it continues. Wonderful help. It showed that I wasn't indexing the attribute I was querying. That is done and now the debug level responds with QUERY ANSWERABLE. Looks like the proxy is actually working. Well, almost. If the master server is there, it returns with the answer and all looks good. If the master server isn't there for the proxy, the proxy still responds in debug with QUERY ANSWERABLE, but blocks after that. This causes ldapsearch to stay blocked as well. Why would a proxy still check with the master If the proxy is working? I want to use this to relieve processing from the master. It also gets back to the other part of my problem. Since it seems to block indefinitely, how can I set a decent timeout for slapd? Again, thanks for the help so far. Nathan "Nathan Morrow" <nmorrow(a)spotswood.org> writes: > Two questions for the group > > 1. > > I am running slapd as a ldap proxy which is working fine. I have > tried idetimeout and idle-timeout to shorten the query if the tcp > connection isn?t there for the proxy, but the connection still seems > to hang indefinitely. Again, it works fine when the master ldap > server is there. > overlay pcache > > proxyCache bdb 100000 1 1000 100 > > proxyAttrset 0 proxyAddresses > > proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600 > > The query (that works when the master server is available) below, > doesn?t work when the same request is made after that and the server > isn?t there. But that shouldn?t matter if the cache were used. Alas, > no luck. > > ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com? -b > 'OU=Staff,DC=fake,DC=com' -l 5 -Z "(& > (objectClass=person)(proxyAddresses=SMTP:user@fake.com))" > proxyAddresses In order to test the proxy caching function run your proxy slapd with -d pcache. -Dieter -- Dieter Kl?nter | Systemberatung http://www.dkluenter.de <http://www.dkluenter.de/> GPG Key ID:8EF7B6C6

1 0

Re: query timeout and proxytemplate
by Nathan Morrow 15 Jan '08

15 Jan '08

Wonderful help. It showed that I wasn't indexing the attribute I was querying. That is done and now the debug level responds with QUERY ANSWERABLE. Looks like the proxy is actually working. Well, almost. If the master server is there, it returns with the answer and all looks good. If the master server isn't there for the proxy, the proxy still responds in debug with QUERY ANSWERABLE, but blocks after that. This causes ldapsearch to stay blocked as well. Why would a proxy still check with the master If the proxy is working? I want to use this to relieve processing from the master. It also gets back to the other part of my problem. Since it seems to block indefinitely, how can I set a decent timeout for slapd? Again, thanks for the help so far. Nathan ------------------------------ Date: Mon, 14 Jan 2008 10:09:53 +0100 From: "Dieter Kluenter" <dieter(a)dkluenter.de> Subject: Re: query timeout and proxytemplate To: openldap-software(a)openldap.org Message-ID: <87hchglqn2.fsf(a)magenta.l4b.de> Content-Type: text/plain; charset=utf-8 "Nathan Morrow" <nmorrow(a)spotswood.org> writes: > Two questions for the group > > 1. > > I am running slapd as a ldap proxy which is working fine. I have > tried idetimeout and idle-timeout to shorten the query if the tcp > connection isn?t there for the proxy, but the connection still seems > to hang indefinitely. Again, it works fine when the master ldap > server is there. > overlay pcache > > proxyCache bdb 100000 1 1000 100 > > proxyAttrset 0 proxyAddresses > > proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600 > > The query (that works when the master server is available) below, > doesn?t work when the same request is made after that and the server > isn?t there. But that shouldn?t matter if the cache were used. Alas, > no luck. > > ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com? -b > 'OU=Staff,DC=fake,DC=com' -l 5 -Z "(& > (objectClass=person)(proxyAddresses=SMTP:user@fake.com))" > proxyAddresses In order to test the proxy caching function run your proxy slapd with -d pcache. -Dieter -- Dieter Kl?nter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 ------------------------------

2 1

Slapd running out of file descriptors (leak?)
by Diego Woitasen 15 Jan '08

15 Jan '08

Hi, I have OpenLDAP 2.3.27, Redhat 5 package, and it's running out of file descriptors suddendly. It's works fine a few days, but runs out of FDs and the the solution is restart. I think It's a bug, because see the following weird thing with lsof: slapd 19157 ldap 303u sock 0,5 193051928 can't identify protocol The file descriptors from 159 up to 4094 are like that. Under normal operations I don't see FDs like these, only have 100 FDs aprox in the rush hour. I don't have any interesting in the log and this is not a file descriptor limit problem. regards, diegows -- Diego Woitasen XTECH - Soluciones Linux para empresas (54) 011 5219-0678

2 1

configure: error: Berkeley DB version mismatch
by Rakesh Yadav 15 Jan '08

15 Jan '08

Hi, I am installing openLDAP 2.3.28 with BerkeleyDB.4.6. I have already installed BerkeleyDB.4.6 export CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include -I/usr/local/ssl/include/openssl" export LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/ssl/lib" ./configure --enable-slapd --enable-sql --with-cyrus-sasl --enable-crypt Configuring OpenLDAP 2.3.38-Release ... checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c ..... ..... checking for Berkeley DB major version... 4 checking for Berkeley DB minor version... 6 checking for Berkeley DB link (-ldb-4)... yes checking for Berkeley DB version match... no configure: error: Berkeley DB version mismatch ------------------------------------------------------------------------------------------------------------- I have installed BerkeleyDB.4.6 Then why it is giving version mismatch error ? Please reply Thanks Rakesh Yadav

2 1

delete: Internal (implementation specific) error (80)
by jehan procaccia 14 Jan '08

14 Jan '08

Hello, when I want to delete an entry I get "delete: Internal (implementation specific) error (80)" . I run openldap-2.3.32 on a Fedora Core release 5 Example: $ ldapdelete mail=woaa(a)int-edu.eu,ou=AliasesSympa,dc=int-evry,dc=fr -D cn=admin,dc=int-evry,dc=fr -W -d 4 -H ldaps://ldapmaster.int-evry.fr -Z -x request done: ld 0x8874110 msgid 2 request done: ld 0x8874110 msgid 3 ldap_delete: Internal (implementation specific) error (80) additional info: DN index delete failed ldap logs Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 BIND dn="cn=admin,dc=int-evry,dc=fr" method=128 Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 BIND dn="cn=admin,dc=int-evry,dc=fr" mech=SIMPLE ssf=0 Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 RESULT tag=97 err=0 text= Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=2 DEL dn="mail=woaa(a)int-edu.eu,ou=AliasesSympa,dc=int-evry,dc=fr" Jan 14 17:11:53 ldapmaster slapd[25329]: => bdb_dn2id_delete: parent (ou=aliasessympa,dc=int-evry,dc=fr) delete failed: -30989 Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=2 RESULT tag=107 err=80 text=DN index delete failed Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=3 UNBIND Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 fd=45 closed () thanks .

1 0

query timeout and proxytemplate
by Nathan Morrow 14 Jan '08

14 Jan '08

Two questions for the group 1. I am running slapd as a ldap proxy which is working fine. I have tried idetimeout and idle-timeout to shorten the query if the tcp connection isn't there for the proxy, but the connection still seems to hang indefinitely. Again, it works fine when the master ldap server is there. To test I am actually closing the hole in the firewall to the server on the ldap port. The firewall doesn't respond at all to the request. Then I am running and ldapsearch against localhost (the proxy slapd). I have tried the ldapsearch command with and without the -l parameter to limit the request there as well with no success. Any ideas? 2. I have the proxy overlay running (details below). From everything I read it looks good to me, but I haven't found many examples. I really only want to cache the proxyAddresses attribute and possible the objectClass type, as that is all I will be querying. The below is meant to do that. I have removed the objectClass from the template, no better. I have added objectClass as part of the proxyAttrset, no better. overlay pcache proxyCache bdb 100000 1 1000 100 proxyAttrset 0 proxyAddresses proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600 The query (that works when the master server is available) below, doesn't work when the same request is made after that and the server isn't there. But that shouldn't matter if the cache were used. Alas, no luck. ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com' -b 'OU=Staff,DC=fake,DC=com' -l 5 -Z "(&(objectClass=person)(proxyAddresses=SMTP:user@fake.com))" proxyAddresses

2 1

openldap 2.4.6 bug in LDAP searchRequest when derefAliases=derefInSearching and scope=wholeSubtree
by Antonio Alonso 12 Jan '08

12 Jan '08

Hi ! I think I have found a a bug in openLDAP 2.4.6 (maybe I am misunderstanding RFC4511 ...). I explain the test case where (maybe) I found it: I have created an alias (alias_entry) which points to another created entry (pointed_entry). I have not created any subordinate entry under "alias_entry" nor under "pointed_entry. Using always the "alias_entry" as the "searchRequest.baseObject" I have been checking the answers obtained from an slapd/back-bdb as I change the values of "searchRequest.scope" and "searchRequest.derefAliases" fields (I am checking -and assuring- with "wireShark" that the LDAP searchRequest messages being sent to the slapd process are the desired ones). I found the expected behaviour (according to RFC4511) in all cases except for the following one: - searchRequest.scope: wholeSubtree - searchRequest.derefAliases: derefInSearching I received two LDAP searchResEntry messages (instead of the single one expected) !!! (1) One for the "alias_entry" (where I can see the "aliasedObjectName" attribute set to the pointed_entry's dn) ==> OK (2) One for the "pointed_entry" ==> ??????? As far as I understand RFC4511 the second entry should NOT be returned from the LDAP server !!!! BR / Antonio > Antonio Alonso Alarcón CUDB System Engineer > Ericsson España, S.A. Phone: +34 91339 3085 Via de los Poblados 13 Mobile: +34 609640579 (66215) 28033 Madrid, Spain Fax: +34 91339 1636 E-mail: Antonio.Alonso(a)ericsson.com

1 0

rewriting search scope
by Me Me 11 Jan '08

11 Jan '08

Hi all. I'm looking at using the rwm rewriter to rewite some ldap queries. The rewrite contexts don't list an entry for the search scope. How can I rewrite the scope for a search from say sub (subtree) to one. Also, is there a way to get the ldap query in uri format in the rewriter, so instead of using a context to get each section can you write the uri (which may help my first question). Eg to get "http://ldap.server.com/o=searchbase,dc=site?sub?(someattr=somevalue)" Once you get the uri like this, you can easily parse it..Thanks.... ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2008