openldap-software October 2008

openldap-software@openldap.org

55 participants
54 discussions

Supported RFC's and "features"
by Clowser, Jeff (Contractor) 13 Jul '09

13 Jul '09

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff

11 29

DDS object does not expire?
by manu＠netbsd.org 15 Nov '08

15 Nov '08

Hello I am trying out slapo-dds. I haver this in slapd.conf: overlay dds dds-state TRUE dds-max-ttl 1d dds-min-ttl 10s dds-default-ttl 1h dds-interval 120s dds-tolerance 5s Then I created an entry with this: objectClass: dynamicObject I had this automatically generated. entryTtl: 3600 entryExpireTimestamp: 20081029215410Z But now this entry should be expired, and it is still in the tree. What is wrong? Did I misunderstood the documentation, shoudln't it vanish now? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

3 8

ACL regex and attribute value
by Emmanuel Dreyfus 11 Nov '08

11 Nov '08

Helo Is the kind of ACL below supported? access to dn.regex="^uid=.+,(ou=.+),o=org$" attrs=foo val.regex="^(.*)$" by ... I expect $1 to hold ou=whatever and $2 to hold attribute foo value that gets modified. I have trouble to get it working, and I wonder if 1) are $<digit> supported in val.regex ? 2) is it allowed touse $<digit> with multiples regex? Ot will the values gathered by the last match overwrite the first one? -- Emmanuel Dreyfus manu(a)netbsd.org

3 2

bdb 4.6 issue with 2.4.12
by Guillaume Rousse 05 Nov '08

05 Nov '08

Since I upgraded one of my server from 2.4.11 to 2.4.12, I'm facing heavy database issues: [root@etoile ~]# slapcat -b dc=msr-inria,dc=inria,dc=fr ... bdb(dc=msr-inria,dc=inria,dc=fr): pthread lock failed: Invalid argument bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: Invalid argument bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: fatal region error detected; run recovery bdb_db_close: database "dc=msr-inria,dc=inria,dc=fr": close failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30975) Even importing a backup ldiff file on a fresh installation triggers the same problems. I tested this problem on two different environment (mandriva 2008.1, mandriva cooker), and one user reported it against mandriva 2009.0 (https://qa.mandriva.com/show_bug.cgi?id=45034). This seems to either imply an openldap or a packaging issue. Should I report an ITS for this, or rather provide more informations ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

4 8

delta-syncrepl and acl limitation
by COMBES Julien - CETE Lyon/DI/ET/PAMELA 05 Nov '08

05 Nov '08

Hello I use openldap 2.3.39. The Openldap admin guide indicates that (in chapter 15 for the openldap 2.3 and 17.2.1 for 2.4) : "Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection." So, I understand that, in syncrepl, I could do a partial replication on the slave with ACL limitation on the master. I have tried this with delta-syncrepl (with accesslog) but it doesn't seem to work with that kind of message on the slave : slapd : syncrepl_message_to_op: rid 252 be_modify cn=one_entry,ou=foo,ou=bar,dc=my,dc=domain (32) The slave doesn't have the entry (due to ACL limitations) but see modifications on it in the accesslog base and try to synchronize the entry. With delta-syncrepl, is it possible to do partial replication on slave with ACL limitation on master ? --------------------------------------------------------------------- master delta-syncrepl conf : # Accesslog database hdb suffix "cn=accesslog" rootdn "cn=accesslog" directory "/var/lib/ldap/accesslog" index entryCSN,objectClass,reqEnd,reqResult,reqStart eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE limits dn.regex="cn=syncuser\..*,ou=foo,ou=bar,dc=my,dc=domain" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited database hdb suffix "dc=my,dc=domain" rootdn "dc=my,dc=domain" [...] overlay syncprov syncprov-checkpoint 100 10 overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 --------------------------------------------------------------------- slave delta-syncrepl conf : syncrepl rid=252 provider=ldaps://ldapmaster.my.domain type=refreshAndPersist retry="60 10 300 +" searchbase="dc=my,dc=domain" filter="(objectClass=*)" scope=sub schemachecking=off updatedn="cn=replicsyncrepl,ou=foo,ou=bar,dc=my,dc=domain" bindmethod=simple binddn="cn=syncuser.slaveone,ou=foo,ou=bar,dc=my,dc=domain" credentials=<secret> logbase="cn=accesslog" syncdata=accesslog updateref ldaps://ldapmaster.my.domain --------------------------------------------------------------------- Regards, Julien

3 4

TLS problems with OpenLDAP
by LÉVAI Dániel 03 Nov '08

03 Nov '08

Hi! I've recreated my certificate/key pair, beacuse I can't seem get over this issue. I've changed the hostname in the certificate to the ip address of the server. OpenLDAP 2.4.11, Debian testing/lenny system. Could someone tell me why this would fail: $ ldapsearch -d 1 -ZZWx '(objectclass=*)' -H ldap://192.168.1.3 ldap_url_parse_ext(ldap://192.168.1.3) ldap_create ldap_url_parse_ext(ldap://192.168.1.3:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.3:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.3:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x6120a0 msgid 1 wait4msg ld 0x6120a0 msgid 1 (infinite timeout) wait4msg continue ld 0x6120a0 msgid 1 all 1 ** ld 0x6120a0 Connections: * host: 192.168.1.3 port: 389 (default) refcnt: 2 status: Connected last used: Fri Oct 31 22:36:46 2008 ** ld 0x6120a0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x6120a0 request count 1 (abandoned 0) ** ld 0x6120a0 Response Queue: Empty ld 0x6120a0 response count 0 ldap_chkResponseList ld 0x6120a0 msgid 1 all 1 ldap_chkResponseList returns ld 0x6120a0 NULL ldap_int_select read1msg: ld 0x6120a0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x6120a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x6120a0 0 new referrals read1msg: mark request completed, ld 0x6120a0 msgid 1 request done: ld 0x6120a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: hostname (192.168.1.3) does not match common name in certificate (192.168.1.3). ldap_err2string ldap_start_tls: Connect error (-11) That last "TLS:" prefixed message bothers me; it tells me that 192.168.1.3 doesn't match with 192.168.1.3?! Why? Daniel -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1

2 3

SASL
by John Nietzsche 01 Nov '08

01 Nov '08

Dear list members, i have just setted, in my environment, kerberos, cyrus-sasl and openldap. My host operational plataform is Debian. I am facing a situation like this: altough i configured cyrus SASL i can't see its mech with the following command: sioux@gustav:~/ldap$ ldapsearch -x -b "" -s base supportedSASLMechanisms # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 sioux@gustav:~/ldap$ My ldap server ldd output is: gustav:/etc/ldap# ldd `which slapd` linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f1c000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f10000) libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7ec8000) libslp.so.1 => /usr/lib/libslp.so.1 (0xb7eb9000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ea3000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e64000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d2a000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7cfc000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ce8000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cd6000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7ccf000) libwrap.so.0 => /lib/libwrap.so.0 (0xb7cc7000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b96000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b92000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7b7b000) libz.so.1 => /usr/lib/libz.so.1 (0xb7b67000) /lib/ld-linux.so.2 (0xb7f6b000) gustav:/etc/ldap# May some one help with this stuff? Thanks a lot for your time and cooperation. Best regards.

3 2

How to create database?
by Alfonsas Stonis 31 Oct '08

31 Oct '08

Hi, I installed Openldap on Centos 4.7. However, it did not create database. So when I connect to it there is no data. So I get exception - object not found: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'dc=nodomain' I have tried everything that is suggested in ldap documentation. However, nothing works. I have impression that all documentation is only after you have data base set up and how to add data to existing data, but there is nothing how to create it from scratch. Any help, I am stuck with this problem already for 3 days :(. Alfas

2 1

Upgrading 2.3.35 to 2.4.11 - best approach?
by Lesley Walker 31 Oct '08

31 Oct '08

Hi all, I looked in the online version of the Admin Guide for upgrade instructions, but they don't seem to have been written. So I have come to the experts for guidance. I have successfully compiled and installed the new version, and run it as a slave in our existing system. I allowed to create its database via syncrepl, and that worked a treat (although it took longer than I expected). It's been happily running for a while and I have no issues. My question is really, what's the best way to approach the upgrade of the master server? Since we're going from BDB4.2 to BDB4.4, I assume it wouldn't be be a good idea to just plug the existing database into the new code. If I slapcat the old version and slapadd the data into the new version, will that cause the entire database to be resynced out to all slave servers? We have about 100 slave servers, and the thought of (effectively) resetting all their sync cookies all at once makes me shudder. My other option, since all servers run matching environments, would be to take a copy of the database from a replicated 2.4.11 slave and plug that straight in (having disallowed updates and replication, and taken any other safety measures I can think of). Would this be a stupid risk, or would you expect it to work okay? Our site info: All servers run Debian 4.0 (Etch) with near-as-dammit identically configured systems Kernel is 2.6.22 One master server, many slaves with identical databases. Replication is done by syncrepl Bandwidth to some sites is limited About 12000 records in the database Thanks, Lesley W -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

3 2

Acl problem "no write access to parent"
by Muzammel Asghar 30 Oct '08

30 Oct '08

Hi guys i need an acl like that access to dn.subtree="ou=Company_People,dc=company,dc=com" attrs=cn,member by dn="uid=testadmin,ou=People,dc=company,dc=com" write by dn="uid=admin,ou=People,dc=company,dc=com" write by users read by * none It works fine for me that uid=testadmin has only rights on two attributs cn,member under "ou=Company_People,dc=company,dc=com" But i need one more right to that uid=testadmin to create new cn (group) under this "ou=Company_People,dc=company,dc=com" when i try to add new cn under "ou=Company_People,dc=company,dc=com" by using this uid=testadmin it gives me following error ldapadd: Insufficient access (50) additional info: no write access to paren Please help me regarding this matter Thanks

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2008