openldap-software October 2008

openldap-software@openldap.org

55 participants
54 discussions

n-way replication question
by Dieter Kluenter 30 Oct '08

30 Oct '08

6 15

TLS problems with openldap
by LÉVAI Dániel 30 Oct '08

30 Oct '08

Hi! I need some assistance regarding TLS configuration. So, I'm using OpenLDAP 2.4.11 with debian/testing. This what my config looks like: slapd.conf: [...] TLSCACertificateFile /etc/ssl/certs/ecentrum_cacert.pem TLSCertificateFile /etc/ldap/tls/openldap_cert.pem TLSCertificateKeyFile /etc/ldap/tls/openldap_key.pem TLSVerifyClient try [...] Slapd starts with these settings gladly, and with a client (eg. ldapsearch) without requesting TLS connection, I can get to the invalid credentials error (which is what I'm expecting now, this is just testing.). But with requesting TLS: $ cat ~/.ldaprc TLS_CACERT /etc/ssl/certs/ecentrum_cacert.pem $ ls -l /etc/ssl/certs/ecentrum_cacert.pem -rw-r--r-- 1 root root [...] /etc/ssl/certs/ecentrum_cacert.pem $ ldapsearch -d 1 -ZZWx '(objectclass=*)' \ -H ldap://fileserver.digiszfv:636 ldap_url_parse_ext(ldap://fileserver.digiszfv:636) ldap_create ldap_url_parse_ext(ldap://fileserver.digiszfv:636/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fileserver.digiszfv:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.3:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x67e0b0 msgid 1 wait4msg ld 0x67e0b0 msgid 1 (infinite timeout) wait4msg continue ld 0x67e0b0 msgid 1 all 1 ** ld 0x67e0b0 Connections: * host: fileserver.digiszfv port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 27 11:07:53 2008 ** ld 0x67e0b0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x67e0b0 request count 1 (abandoned 0) ** ld 0x67e0b0 Response Queue: Empty ld 0x67e0b0 response count 0 ldap_chkResponseList ld 0x67e0b0 msgid 1 all 1 ldap_chkResponseList returns ld 0x67e0b0 NULL ldap_int_select read1msg: ld 0x67e0b0 msgid 1 all 1 ber_get_next ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) Meanwhile on the server side: # tail -f syslog slapd[3779]: slap_listener_activate(9): slapd[3779]: >>> slap_listener(ldaps://fileserver.digiszfv:636/) slapd[3779]: connection_get(15): got connid=21 slapd[3779]: connection_read(15): checking for input on id=21 slapd[3779]: connection_read(15): TLS accept failure error=-1 id=21, closing slapd[3779]: connection_closing: readying conn=21 sd=15 for close slapd[3779]: connection_close: conn=21 sd=15 The log messages are so terse and/or cryptic, I simply can not figure out what could be wrong. Any help would be appreciated! Thanks! Daniel -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1

3 5

smbk5pwd segfault on AIX 5.3
by David Markey 30 Oct '08

30 Oct '08

I'm trying to get smbk5pwd to work on AIX 5.3(power 6) compiled with xlc, Have compiled most things from scratch, bdb, libtool, sasl. Openldap 2.4.12 slapd log: line 18 (argsfile /opt/csr/var/run/slapd/slapd.args) line 20 (loglevel 20) line 22 (modulepath /opt/csr/etc/openldap/smbk5pwd/.libs) line 23 (moduleload smbk5pwd) loaded module smbk5pwd Segmentation fault Im getting a segfault when the module is loaded. more info: (gdb) backtrace #0 0xd30afe58 in lutil_passwd_add () from /opt/csr/etc/openldap/smbk5pwd/.libs/smbk5pwd.so.0 #1 0xd30ae1d0 in smbk5pwd_initialize () at smbk5pwd.c:1022 #2 0x100e9454 in ?? () bash-3.2# ldd /opt/csr/etc/openldap/smbk5pwd/.libs/smbk5pwd.so.0 /opt/csr/etc/openldap/smbk5pwd/.libs/smbk5pwd.so.0 needs: /usr/lib/libc.a(shr.o) /opt/csr/lib/liblber.a(liblber-2.4.so.2) /opt/csr/lib/libkrb5.a(libkrb5.so.22) /opt/csr/lib/libkadm5srv.a(libkadm5srv.so.8) /opt/csr/lib/libldap_r.a(libldap_r-2.4.so.2) /usr/lib/libcrypto.a(libcrypto.so.0.9.8) /unix /usr/lib/libcrypt.a(shr.o) /opt/csr/lib/libroken.a(libroken.so.18) /opt/csr/lib/libasn1.a(libasn1.so.8) /opt/csr/lib/libcom_err.a(libcom_err.so.1) /opt/csr/lib/libhx509.a(libhx509.so.1) /opt/csr/lib/libhdb.a(libhdb.so.9) /usr/lib/libs.a(shr.o) /usr/lib/libpthread.a(shr_xpg5.o) /usr/lib/libssl.a(libssl.so.0.9.8) /opt/csr/lib/libldap.a(libldap-2.4.so.2) /usr/lib/libpthreads.a(shr_comm.o) I was just doing this as an experiment so its not essential this works. Would be nice though. Thanks.

1 0

Question to meta-backend / ldap-backend
by Wilhelm Meier 29 Oct '08

29 Oct '08

Hi, I think this is a relative simple question but I did not use the meta/ldap-backend before. We have an openldap-server for user authentification. The user bind as uid=<user>,ou=Benutzer,dc=kmux,dc=de where <user> is the actual username. We have a diffent application where only users of a special posixGroup "Archiv" should be valid. The application is not capable of doing some sort of filtering. So, I thought it must be passoble to do this filtering with the meta or ldap-backup using the original ldap-db: the filter should look like: (&(cn=Archiv)(memberUid=<user>)(objectClass=posixGroup)) where <user> is the username as above. Any hints? -- Wilhelm

4 10

OpenLDAP 2.4 syncrepl - Size limit exceeded error in consumer end
by Karthik Dathathri 29 Oct '08

29 Oct '08

I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0 The provider has approximately 1000 entries in the directory. On the consumer side, I am getting the following error after synchronization of around 500 records. Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded I am using "refreshOnly" syncrepl in the consumer. The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com) slapd.conf configuration at the consumer end is as follows: # Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited #SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited slapd.conf configuration at the provider is as follows: #Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read # syncprov index entryCSN,entryUUID eq # Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited # ACL ensuring replicator has write access access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read #syncprov overlay configuration overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100 Any pointers would be appreciated. If someone needs more information about the environment, please let me know. Thanks & Regards, Karthik ________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

6 8

Support for "codice fiscale" syntax
by Pierangelo Masarati 29 Oct '08

29 Oct '08

I've developed a module that implements support for the syntax of "codice fiscale", the personal identification code used by the Italian government to uniquely identify citizen. I think it might be of general use, although possibly limited to Italian users, so I'd like to give it a somewhat official and unbiased OID, rather than one under my arc or SysNet's. Would it qualify as general enough for OpenLDAP's OID arc, at least while experimental? I believe the need for a dedicated syntax (as opposed to IA5string, printableString or so) is that its definition, although flawed, needs to conform to quite a few restrictions, and a syntax that allows to detect trivial errors and single out impossible values would be definitely helpful. I need the OID in order to submit code along with an ITS for contrib. An OID arc would be best, because the kit consists in: - a syntax - an equality matching rule (cfMatch) - an attribute spec (cf) - an auxiliary objectClass spec (cfObject) Please comment. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

4 5

Problems converting slapd.conf to a directory: i am desperated
by John Nietzsche 27 Oct '08

27 Oct '08

Dear list members, i am trying to convert slapd.conf to a directory. I am having problems trying to get it working. Here you have the output and slapd.conf i am working on: sioux@etosha$ slaptest -f slapd.conf -F /tmp/x; cat slapd.conf WARNING: No dynamic config support for database ldbm. WARNING: The converted cn=config directory is incomplete and may not work. ldbm_back_db_open: alock package is unstable; database may be inconsistent! config file testing succeeded include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema pidfile /asd/var/run/slapd.pid argsfile /asd/var/run/slapd.args idletimeout 1024 loglevel -1 # referral sizelimit 1024 timelimit 1024 backend ldbm database ldbm readonly off #replica #replogfile suffix "dc=cpd,dc=ufv,dc=br" rootdn "cn=Manager,dc=cpd,dc=ufv,dc=br" rootpw {SSHA}L+RsBLcsc846Bv/tTiEnBONIx3oTSPG5 #syncrepl #updatedn #updateref cachesize 1024 dbcachesize 1048576 #dbnolocking #dbnosync #dbsync <frequency> <maxdelays> <delayinterval> directory /asd/var/ldap index objectClass eq mode 0600

3 2

Re: Some entries not syncing to slave using syncrepl
by Robert Fitzpatrick 27 Oct '08

27 Oct '08

On Mon, 2008-10-27 at 14:28 +0000, andylockran wrote: > Robert Fitzpatrick wrote: > > I have setup a 2.3.43 master/slave using syncrepl, but some entries are > > not syncing. I have one entire tree (ou=Domains,dc=example,dc=com) and > > some entries under another certain tree not coming over to the slave. > > > > Here is my slapd.conf syncrepl entry on the slave with an ip address of > > 10.0.0.5... > > > > syncrepl rid=120 > > provider=ldap://10.0.0.6:389 > > type=refreshAndPersist > > interval=00:00:05:00 > > searchbase="dc=example,dc=com" > > filter="(objectClass=*)" > > scope=sub > > schemachecking=off > > bindmethod=simple > > binddn="uid=slurpd,ou=Services,dc=example,dc=com" > > credentials=password > > > > And in my master from slapd.conf... > > > > overlay syncprov > > syncprov-checkpoint 100 10 > > syncprov-sessionlog 100 > > > > My ACL does not contain any specific access for my Domains container, > > but at the bottom contains... > > > > access to * > > by sockurl.regex="^ldapi://%2fvar%2frun%2fopenldap%2fldapi/$" write > > by group.exact="cn=Administrators,dc=example,dc=com" write > > by self write > > by users read > > by peername=10.0.0.5 read > > by * read > > > > My slurpd uid is a member of the Administrators group entry. Using my > > Domains tree as an example, I can read the entry no problem... > > > > esmtp# ldapsearch -LLL -h 10.0.0.6 -D uid=slurpd,ou=Services,dc=example,dc=com -W "(ou=Domains)" dn > > Enter LDAP Password: > > dn: ou=Domains,dc=example,dc=com > > > > However, I have no Domains container in my slave :( > > > > esmtp# ldapsearch -LLL -h localhost -D uid=slurpd,ou=Services,dc=example,dc=com -W "(ou=Domains)" dn > > Enter LDAP Password: > > > > Can someone help me shed some light on this problem? > > > The filter (objectclass=*) isn't blocking it is it? Thanks. I have confirmed all to have objectClass defined, however, I removed the filter, stopped the server, deleted the directory folder and put back my DB_CONFIG, then restarted. Still, this one container and select entries beneath another container are not coming over to the master. But most entries in the directory are coming over and running the above ldapsearch from the slave pulls the entries on the master, no problem. Any other ideas? -- Robert

1 0

Some entries not syncing to slave using syncrepl
by Robert Fitzpatrick 26 Oct '08

26 Oct '08

I have setup a 2.3.43 master/slave using syncrepl, but some entries are not syncing. I have one entire tree (ou=Domains,dc=example,dc=com) and some entries under another certain tree not coming over to the slave. Here is my slapd.conf syncrepl entry on the slave with an ip address of 10.0.0.5... syncrepl rid=120 provider=ldap://10.0.0.6:389 type=refreshAndPersist interval=00:00:05:00 searchbase="dc=example,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=slurpd,ou=Services,dc=example,dc=com" credentials=password And in my master from slapd.conf... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 My ACL does not contain any specific access for my Domains container, but at the bottom contains... access to * by sockurl.regex="^ldapi://%2fvar%2frun%2fopenldap%2fldapi/$" write by group.exact="cn=Administrators,dc=example,dc=com" write by self write by users read by peername=10.0.0.5 read by * read My slurpd uid is a member of the Administrators group entry. Using my Domains tree as an example, I can read the entry no problem... esmtp# ldapsearch -LLL -h 10.0.0.6 -D uid=slurpd,ou=Services,dc=example,dc=com -W "(ou=Domains)" dn Enter LDAP Password: dn: ou=Domains,dc=example,dc=com However, I have no Domains container in my slave :( esmtp# ldapsearch -LLL -h localhost -D uid=slurpd,ou=Services,dc=example,dc=com -W "(ou=Domains)" dn Enter LDAP Password: Can someone help me shed some light on this problem?

1 0

testing symas with modrate and searchrate tools
by ELCIN HAKTANIR 24 Oct '08

24 Oct '08

Hi i have got 'symas-openldap-silver-2.4.11.0.sun4u.pkg' installed on System Configuration: Sun Microsystems sun4v Memory size: 32640 Megabytes System Peripherals (Software Nodes): SUNW,SPARC-Enterprise-T5220 i have got 1 million subscribers 1.97 GB size of data for *.bdb files. now my question is, i installed Sun Java Directory Server Enterprise Edition 6_3 on another identical machine and use its utility called 'searchrate' and 'modrate' for comparing these two servers' performances. But this command hungs my symas openLDAP instance .i can't use multiple threads for 'modrate' testing. here is my command that hungs my solserver instance. ./des/dsrk6/bin/modrate -h 192.168.43.45 -p 389 -D "cn=saadet,o=saadettest" -w admin234 -b "mobile=%s,ou=subscribers,o=saadettest" -i ./des/dsrk6/bin/numbers.txt -t40 -C 5 -M 'occupation:10:[A-Z]' The output is here: Avg r= 41.42/thr (331.40/sec), total= 1657 T0 blk, T1 blk, T2 blk, T3 blk, T4 blk, T5 blk, T6 blk, T7 blk, T8 blk, T9 blk, T10 blk, T11 blk, T12 blk, T13 blk, T14 blk, T15 blk, T16 blk, T17 blk, T18 blk, T19 blk, T20 blk, T21 blk, T22 blk, T23 blk, T24 blk, T25 blk, T26 blk, T27 blk, T28 blk, T29 blk, T30 blk, T31 blk, T32 blk, T33 blk, T34 blk, T35 blk, T36 blk, T37 blk, T38 blk, T39 blk Avg r= 0.00/thr ( 0.00/sec), total= 0 T0 blk, T1 blk, T2 blk, T3 blk, T4 blk, T5 blk, T6 blk, T7 blk, T8 blk, T9 blk, T10 blk, T11 blk, T12 blk, T13 blk, T14 blk, T15 blk, T16 blk, T17 blk, T18 blk, T19 blk, T20 blk, T21 blk, T22 blk, T23 blk, T24 blk, T25 blk, T26 blk, T27 blk, T28 blk, T29 blk, T30 blk, T31 blk, T32 blk, T33 blk, T34 blk, T35 blk, T36 blk, T37 blk, T38 blk, T39 blk Avg r= 0.00/thr ( 0.00/sec), total= 0 The question is why can't i use these two utility commands for openLDAP? What have i done wrong? -------------------------------------- Bu elektronik posta ve onunla iletilen bütün dosyalar gizlidir sadece yukarıda isimleri belirtilen kişiler arasında özel haberleşme amacını taşımaktadır. Size yanlışlıkla ulaşmıssa bu elektonik postanın içeriğini açıklamanız , kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır. Lütfen mesajı geri gönderiniz ve sisteminizden siliniz. Vodafone Teknoloji Hizmetleri A.Ş. bu mesajın içeriği ile ilgili olarak hiç bir hukuksal sorumluluğu kabul etmez. This electonic mail and any files transmitted with it are intended for the private use of the persons named above. If you received this message in error, forwarding, copying or use of any of the information is strictly prohibited. Please immediately notify the sender and delete it from your system. Vodafone Teknoloji Hizmetleri A.S. does not accept legal responsibility for the contents of this message. --------------------------------------

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2008