openldap-software November 2008

openldap-software@openldap.org

43 participants
47 discussions

Re: unique_uri strict ?
by ghenry＠OpenLDAP.org 24 Nov '08

24 Nov '08

----- "Andrew Findlay" <andrew.findlay(a)skills-1st.co.uk> wrote: > On Mon, Nov 24, 2008 at 03:57:35PM +0000, Gavin Henry wrote: > > > > > unique_uri "<[strict ][ignore ]URI[URI...]...>" > > > > > > Well, the <> clearly indicates it's a single argument. Maybe an > > > example, or a remark, would help not overlooking it. > > > > That's fine then. I just misread that syntax. Leave as is. > > Hmm - I think the syntax is sufficiently unusual that an example and > note would save a lot of confusion. Well < > are used all over the docs, I just didn't pick up on it. > I am also wondering what happens when the URI itself would need > quoting when used alone - e.g. a URI with spaces in it. Do we need > to put quoted quotes inside the overall quotes, or is the one set > enough? Probably the same as any URI config line, until end of line? > It would also be worth adding a note about *when* the unique_uri > syntax became available (2.4.x). This sort of thing is useful when > doing upgrades and also as a reminder when dealing with configs > for older versions. I'm pretty sure it's been in 2.4 all along. It appeared "Tue Apr 10 00:38:54 2007" and 2.4 was out officially on 2007/10/31. So no worries there. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

1 0

Re: syncrepl refreshAdnPersist
by Gavin Henry 24 Nov '08

24 Nov '08

----- "Serge Dubrouski" <sergeyfd(a)gmail.com> wrote: > On Mon, Nov 24, 2008 at 9:41 AM, Gavin Henry > <ghenry(a)suretecsystems.com> wrote: > > > >> US Database has approximately 100000 records and GB Database has > >> approximately 70000 records. After a month of piloting this > >> infrastructure I noticed that shadows are missing about 10 records > >> for > >> US and GB database. Any idea what is wrong with this configuration > >> and > >> why not all records get populated from Master to Shadows? > >> > >> Thanks. > > > > It's hard to say without knowing the entries and data, but you are > two point release > > behind now that have had lots of replication fixes: > > Data is pretty simple though almost each record has binary data: a > user certificate or CRL. OK. > > http://www.openldap.org/software/release/changes.html > > Thanks, I'll take a look and try to upgrade. Great! > > What have you noticed on your logs? > > Nothing really, but my logging setting are pretty basic. What would > be > the best value for loglevel to catch problems like this one? sync and stats are good for replication and general monitoring: "loglevel sync stats" or "loglevel 16640" Thanks. -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.

1 0

syncrepl refreshAdnPersist
by Serge Dubrouski 24 Nov '08

24 Nov '08

Hello - I'm trying to implement an OpenLDAP infrastructure with one Master Server supporting 4 databases and two Shadow Servers using syncrepl replication. I'm using OpenLDAP 2.4.11 and Berkeley DB 4.6.21 as backend DB. Configuration looks like this: Master: #US database database bdb suffix "c=US" rootdn "cn=admin,c=US" rootpw **** directory /var/lib/ldap/US checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 200 #GB database database bdb suffix "c=GB" rootdn "cn=admin,c=GB" rootpw ******* directory /var/lib/ldap/GB checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 200 database bdb suffix "c=JP" rootdn "cn=admin,c=JP" rootpw ******** directory /var/lib/ldap/JP checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 200 #Corp database database bdb suffix "o=My Company." rootdn "cn=admin, o=My Company." rootpw ******* directory /var/lib/ldap/dst checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 200 Shadow: #US database database bdb suffix "c=US" rootdn "cn=admin,c=US" rootpw ****** directory /var/lib/ldap/US checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq # Syncrepl syncrepl rid=11 provider=ldap://master.server type=refreshAndPersist interval=00:00:01:00 searchbase="c=US" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,c=US" credentials=***** retry="60 10 300 +" #GB database database bdb suffix "c=GB" rootdn "cn=admin,c=GB" rootpw ******* directory /var/lib/ldap/GB checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq # Syncrepl syncrepl rid=12 provider=ldap://master.server type=refreshAndPersist interval=00:00:01:00 searchbase="c=GB" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,c=GB" credentials=****** retry="60 10 300 +" #JP database database bdb suffix "c=JP" rootdn "cn=admin,c=JP" rootpw ****** directory /var/lib/ldap/JP checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq # Syncrepl syncrepl rid=13 provider=ldap://master.server type=refreshAndPersist interval=00:00:01:00 searchbase="c=JP" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=diradmin,c=JP" credentials=****** retry="60 10 300 +" #Corp database database bdb suffix "o=My Company." rootdn "cn=admin, o=Company." rootpw ****** directory /var/lib/ldap/corp checkpoint 1024 5 index objectClass eq index mail,cn,ou,o,c eq,pres,sub index serialNumber eq index uid eq index entryUUID eq index entryCSN eq # Syncrepl syncrepl rid=14 provider=ldap://master.server type=refreshAndPersist interval=00:00:01:00 searchbase="o=My Company." attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin, o=My Company." credentials=****** retry="60 10 300 +" US Database has approximately 100000 records and GB Database has approximately 70000 records. After a month of piloting this infrastructure I noticed that shadows are missing about 10 records for US and GB database. Any idea what is wrong with this configuration and why not all records get populated from Master to Shadows? Thanks. -- Serge Dubrouski.

3 2

Uninvited listener?
by Chris Evans 24 Nov '08

24 Nov '08

I am new to LDAP, and am trying to get OpenLDAP installed on a computer running SUSE 11.0. (Actually, I did this on two similarly configured machines with the same result.) Everything goes smoothly up until the "make test" step, which produces: >>>>> Starting test000-rootdse ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... [omitting repeats] ./scripts/test000-rootdse: line 66: kill: (4683) - No such process ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 255) make[2]: *** [bdb-yes] Error 255 make[2]: Leaving directory `/usr/local/pkg/openldap/openldap-2.4.11/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/usr/local/pkg/openldap/openldap-2.4.11/tests' make: *** [test] Error 2 The file slapd1.l.log in tests/testrun ends with the following: >>> dnNormalize: <cn=Write> <<< dnNormalize: <cn=write> slapd starting daemon: listen(ldap://localhost:9011/, 5) failed errno=98 (Address already in use) slapd shutdown: initiated ====> bdb_cache_release_all slapd destroy: freeing system resources. slapd stopped. I found another thread on this list that suggested slapd might already be running, but in my case a check of processes found nothing including "slapd" or "ldap". I also found threads suggesting that this kind of error can be caused by IPv6, so I repeated everything with the option --enable-ipv6=no with the same result. I also tried adding the line ALL: ALL : ALLOW in hosts.allow, which didn't help either. Suggestions? Thanks.

3 2

Fwd: strange issue on suse 10.2
by Brett ＠Google 24 Nov '08

24 Nov '08

I am getting a strange problem on SuSE 10.2. When build RE24, approx since the last two releases, and make test fails (but the openldap itself works). laptop:/home/myuser/keep-ldap/openldap-src # make test cd tests; make test make[1]: Entering directory `/home/myuser/keep-ldap/openldap-src/tests' make[2]: Entering directory `/home/myuser/keep-ldap/openldap-src/tests' Initiating LDAP tests for BDB... Cleaning up test run directory leftover from previous run. Running ./scripts/all... >>>>> Executing all LDAP tests for bdb >>>>> Starting test000-rootdse ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 66: kill: (28301) - No such process ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 255) make[2]: *** [bdb-yes] Error 255 make[2]: Leaving directory `/home/myuser/keep-ldap/openldap-src/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/myuser/keep-ldap/openldap-src/tests' make: *** [test] Error 2 Looking at the slapd test output (does not get beyond the first test) : [..etc..] >>> dnNormalize: <cn=Uptime> <<< dnNormalize: <cn=uptime> >>> dnNormalize: <cn=Read> <<< dnNormalize: <cn=read> >>> dnNormalize: <cn=Write> <<< dnNormalize: <cn=write> slapd starting daemon: listen(ldap://localhost:9011/, 5) failed errno=98 (Address already in use) slapd shutdown: initiated ====> bdb_cache_release_all slapd destroy: freeing system resources. slapd stopped. There is no existing slapd process running, so i presume the test is trying to open two ldaps on the one port, or the test script is unable to detect that maybe the first slapd started, and tries again (and fails). There are no other slapd processes on port 9011, outside the test scripts, and not stray slapd processed are hanging around before i run make test. Note this is not a problem with the build as such, as i can make install the same compile and it works fine. configure options : CC=gcc CXX=g++ CPPFLAGS="-I/usr/local/openldap/include -I/usr/local/include" LDFLAGS="-L/usr/local/openldap/lib -L/usr/local/lib -R/usr/local/openldap/lib -R/usr/local/lib" ./configure --enable-ssl --with-threads --enable-slapd --enable-overlays --disable-sql --disable-ndb --disable-slapi --disable-ipv6 --prefix=/usr/local/openldap misc environmental options : laptop:/home/myuser/keep-ldap/openldap-src # which db_archive /usr/local/openldap/bin/db_archive laptop:/home/myuser/keep-ldap/openldap-src # echo $LD_LIBRARY_PATH /usr/local/openldap/lib laptop:/home/myuser/keep-ldap/openldap-src # echo $PATH /usr/local/openldap/bin:/home/myuser/bin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/opt/kde3/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin:/usr/lib/qt3/bin laptop:/home/myuser/keep-ldap/openldap-src # ldd servers/slapd/slapd linux-gate.so.1 => (0xffffe000) libdb-4.7.so => /usr/local/openldap/lib/libdb-4.7.so (0xb7f6e000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7f35000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f1c000) libdl.so.2 => /lib/libdl.so.2 (0xb7f18000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7eed000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7ea7000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d63000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7d50000) libc.so.6 => /lib/libc.so.6 (0xb7c0d000) /lib/ld-linux.so.2 (0xb80b4000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7b79000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7b53000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7b4f000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7b46000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7b42000) libz.so.1 => /lib/libz.so.1 (0xb7b2e000) Using bdb 4.7 (or 4.6 for that matter) with openldap HEAD (but same happens with RE24) and berkeleydb locking patch. Any thoughts would be welcome.. Cheers Brett

3 2

A better way for getting an ITS fix
by Maykel Moya 21 Nov '08

21 Nov '08

Just bitten by ITS#5794. As you could imagine I need to patch my server ASAP. That's what I did: 1. In the ITS page I see a message from hyc ack'ing the bug fix. 2. Have to dig openldap-commit message by message trying to hit days near hyc'message date 3. Got http://www.openldap.org/lists/openldap-commit/200811/msg00035.html saying passwd.c went from 1.141 to 1.142 and http://www.openldap.org/lists/openldap-commit/200811/msg00036.html saying passwd.c went from 1.142 to 1.143 4. Go to CVS web ui and request unidiff for passwd.c from 1.141 to 1.143. http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/passwd.c.diff?hideat… Questions: - Is there a way to have information that links 1 and 2 so I don't have to dig openldap-commit archive? - In case a fix spans several files how should I proceed? Regards, maykel --------------------------------------- Red Telematica de Salud - Cuba CNICM - Infomed

5 7

Another ACl question
by Emmanuel Dreyfus 21 Nov '08

21 Nov '08

Hello How can I specify that a set of users that have some attribute value set can modify an object? For instance, if I want users that march &(a1=v1)(a2=v2)(a3=v3), I can write this: access to ... by set.exact="user/a1 + user/a2 + user/a3 & [v1v2v3]" write I would bet money there is an easier way. Any suggestion? -- Emmanuel Dreyfus manu(a)netbsd.org

3 3

Remove overlay using cn=config
by Maykel Moya 21 Nov '08

21 Nov '08

slapd is giving me unwilling to perform when I try to delete an overlay (slapo-syncprov or slapo-accesslog) using cn=config. How can I delete them? Regards, maykel --------------------------------------- Red Telematica de Salud - Cuba CNICM - Infomed

3 2

Fine Master-to-slaves LDAP replication
by Proskurin Kirill 21 Nov '08

21 Nov '08

Hello all. I trying to make this: One central LDAP server with such sctructure: company -> city1 -> users -> samba users accaunts -> computers -> samba computers -> groups -> samba groups -> city2 -> same as above and so on. On slave LDAPs im will have such structure: city1 -> users -> samba users accaunts -> computers -> samba computers -> groups -> samba groups So I need to make such replication: LDAP on city1 replycate only information from master LDAP dc=city1 and sub containers. On centaral LDAP I use 2.4.11 version. On slave I use 2.3.43 with Syncrepl (because of some problems with nss_ldap and LDAP 2.4.x) Is something like this will work? syncrepl rid=123 provider=ldap://masterldapurl type=refreshAndPersist interval=0:0:01:00 retry="60 10 300 3" searchbase="dc=city1,dc=company" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn=someauth updatedn=someauth credentials=somepass -- Best regards, Proskurin Kirill

1 0

problems with exporting/iimporting passwords
by thom_schu＠gmx.de 21 Nov '08

21 Nov '08

Hi everybody, we are installing a new ldap-server, because we need a new structure. so a simple export/import via slapcat/slapadd is not possible, because we need to change the object structure. I wrote a bash shell-script (we are working under suse), which exports the user datas via ldapsearch, builds the new objects and saves it in ldif-format. then I import the ldif-file via ldap-add in the new ldap-server. but when I want to import the ldif-file, ldapadd complains about 50 users (from 900 total), that they woud have an invalid format - the lines, which are invalid are always the userPassword-lines of this user. I tried already to extract this lines with slapcat, copied the extracted lines into my ldif-file, but still the same error. Is there any other way to export/import the password ? can it be a char-set problem ? I really dont know anymore, what else I could do..... thanks gizmo -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

3 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software November 2008