Fwd: how to configure tls and ldap
by Alfonsas Stonis
Hi,
Thanks for replay. I copied them to this directory. There should be no
problems with permissions. The thing is that when I first got error message
I changed permission to by giving all rights to everyone. It did not changed
a thing.
Alfas
2008/12/11 Markus Wernig <listener(a)wernig.net>
Hi
>
> You have either
> - set permissions on the certificates/keys that do not allow slapd to read
> them (check also directory permissions).
> or
> - /etc/ldap/ssl/demoCA/newreq.pem is not a RSA private key. This depends on
> how you created your certificate. If you followed the instructions in
> http://www.openldap.org/faq/data/cache/185.html, you should have your
> certificates and keys in a separate folder. The demoCA component in your
> path names shows that you seem to have created the CA under
> /etc/ldap/ssl/demoCA, which was probably not what you wanted (hint: don't
> run CA.sh from /etc/ldap/ssl).
>
> Please follow the instructions more closely and locate the following three
> files and verify that slapd has read access to them:
>
> 1) CA certificate
> 2) slapd's private key
> 3) slapd's certificate
>
> kind regards
> /markus
>
>
> Alfonsas Stonis wrote:
>
> Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
>>
>
14 years, 9 months
Unable do slapadd a LDIF dump from slapd 2.2.6 to slapd 2.4.9
by Markus Wernig
Hello all!
In the process of upgrading slapd from 2.2.6 to 2.4.9 (ubuntu 6.06 to
8.04), I get the following error when trying to import the LDIF dump
from the old server:
# slapadd -b "o=Company Name,c=CH" -l dump.from.2.2.6.ldif
slapadd: dn="o=Company Name,c=CH" (line=1): (65) no structural object
class provided
(same result if I skip the -b "o=Company Name,c=CH")
slapd.conf has not been altered during the upgrade and contains:
[...]
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
[...]
database bdb
suffix "O=Company Name, C=CH"
checkpoint 512 30
directory "/var/lib/ldap"
rootdn "cn=root, O=Company Name, C=CH"
rootpw XXX
index objectClass eq
[...]
The first entry in the LDIF dump is:
dn: o=Company Name,c=CH
objectClass: top
entryUUID: ...
creatorsName: cn=root,o=Company Name,c=CH
modifiersName: cn=root,o=Company Name,c=CH
createTimestamp: 20071214103903Z
modifyTimestamp: 20071214103903Z
entryCSN: 20071214103903Z#000001#00#000000
(This directory contains only x.509 CRLs and certificates.)
From the error I assumed that for some reason the "top" objectclass was
not correctly defined. In core.schema I found the following new entry
from RFC2256, which was commented out:
#objectclass ( 2.5.6.0 NAME 'top'
# DESC 'RFC2256: top of the superclass chain'
# ABSTRACT
# MUST objectClass )
After uncommenting, though, the error is:
slapadd -b "o=Company Name,c=CH" -l dump.from.2.2.6.ldif
/etc/ldap/schema/core.schema: line 366 objectclass: Duplicate
objectClass: "2.5.6.0"
slapadd: bad configuration file!
Yet, no other schema file contains any definition for 2.5.6.0, so I
assume that it's compiled into slapd.
This leaves me stuck, scratching my head, and extremely grateful for any
hint on where to look further.
Thank you all
krgds /markus
14 years, 9 months
Updating a private schema (cn=config)?
by Andrzej Jan Taramina
I need to update one of our internal LDAP schemas, but am not sure of the best process to use. Haven't managed to find
any info on this, especially using the newer cn=config configuration stuff. Using the latest Ubuntu Intrepid OpenLDAP
version (2.4.11)
I've tried deleting the schema, but keep getting a "server won't allow" error. Deleting all my LDAP entries doesn't help
that. It seems that once you have a schema defined you can't delete it using a GUI tool like Luma nor using LDIF
directives with OpenLDAP running.
Do I just shut down my LDAP server, and delete the entry in the cn=config directory, then re-install the new schema version?
What about any entries that depend on the schema? Will they be affected...that is, do I need to delete them all and
re-add them? I guess if I knew when a schema is actually used (eg. only at add/modify times....or are there links to
from the entries that are used at other times?) it would help?
Thanks for the advice...
--
Andrzej Taramina
Chaeron Corporation: Enterprise System Solutions
http://www.chaeron.com
14 years, 9 months
2.4.13 update troubles
by Emmanuel Dreyfus
Hello
Upgrading to 2.4.13 is troublesome at mine
slapadd eats the top object, then a bunch of children organizationalUnit,
and it hangs on the first inetOrgPerson. A kernel trace shows that slapd
loops on a select(0, NULL, NULL NULL, &something) system call.
With the -q flag, slapadd manages to load the whole tree. But slapd will
hang in the same null select loop on the first search request.
I had to downgrade back to 2.4.11, as 2.4.13 was just unable to answer
requests.
It also seems slapd is still unable to reload an accesslog database, but
IIRC? this is an old problem:
str2entry: invalid value for attributeType reqControls #0 (syntax
1.3.6.1.4.1.4203.666.11.5.3.1)
slapadd: could not parse entry (line=41025)
--
Emmanuel Dreyfus
manu(a)netbsd.org
14 years, 9 months
Re: syncrepl breaks on fax attribute removal
by Will Nowak
On this subject, has anyone packaged 2.4.13 for Ubuntu Hardy? We've
got to upgrade our cluster from 2.4.9 -- I am happy to do this myself,
but if someone else has...
Thanks,
-Will
On Tue, Dec 9, 2008 at 1:08 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, December 09, 2008 5:57 PM +0000 Emmanuel Dreyfus
> <manu(a)netbsd.org> wrote:
>
>> On Tue, Dec 09, 2008 at 09:52:14AM -0800, Quanah Gibson-Mount wrote:
>>>>
>>>> It's 2.4.11. A bit behind, I will upgrade to have this fixed.
>>>
>>> Please keep replies on the list. :)
>>
>> Sorry.
>>
>>> It was fixed in 2.4.13:
>>> Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781)
>>
>> Is that a master or replica bug? Which one must be upgraded in order
>> to have the problem addressed?
>
> slapo-syncprov is (generally) the master bits. So this would be a replica
> side fix. Of course, there were plenty of fixes to slapo-syncprov too by
> 2.4.13, so you may want to upgrade both. :P
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 9 months
Re: syncrepl breaks on fax attribute removal
by Quanah Gibson-Mount
--On Tuesday, December 09, 2008 5:46 PM +0000 Emmanuel Dreyfus
<manu(a)netbsd.org> wrote:
> On Tue, Dec 09, 2008 at 09:43:50AM -0800, Quanah Gibson-Mount wrote:
>> What release? I thought this was fixed.
>
> It's 2.4.11. A bit behind, I will upgrade to have this fixed.
Please keep replies on the list. :)
It was fixed in 2.4.13:
Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 9 months
syncrepl breaks on fax attribute removal
by Emmanuel Dreyfus
Hello
facsimileTelephoneNumber has no equality matching rule. This makes it
a bit difficult to remove. ldapvi will compain because:
ldap_modify: Inappropriate matching (18)
additional info: modify/delete: facsimileTelephoneNumber: no
equality matching rule
Using ldapmodify, it is possible to delete all facsimileTelephoneNumber
attributes, but then, replicas get out of sync:
null_callback : error code 0x12
syncrepl_entry: rid=217 be_modify failed (18)
do_syncrepl: rid=217 retrying
I have to destroy the replicas database and get the resync from scratch.
Kind of silly, isn't it? Is that issue known?
--
Emmanuel Dreyfus
manu(a)netbsd.org
14 years, 9 months
Re: Replication failling and not retrieving all entries
by Quanah Gibson-Mount
--On Tuesday, December 09, 2008 8:18 AM -0200 Gustavo Lima
<gustavopml(a)gmail.com> wrote:
>
>
> 2008/12/8, Quanah Gibson-Mount <quanah(a)zimbra.com>:
>
> --On Monday, December 08, 2008 4:21 PM -0200 Gustavo Lima
> <gustavopml(a)gmail.com> wrote:
>
>
>
> Hi All,
>
> Anyone can help us with this one?
>
>
> Use a current release.
>
>
>
> Unfortunally I do not have this option. Only on Debian Lenny release. Any
> other clue?
No. Keep replies to the list. You asked for help with what to do, and I
gave you the only really usable advice. I suggest you go and read the
changelogs, for example, between the release you are on, and the final
OpenLDAP 2.3 series release, OpenLDAP 2.3.43 release. There were many
major fixes to replication that occurred. The release in lenny
unfortunately has a number of bugs. If what you want is to run a
production LDAP service, you're going to need to know how to maintain the
LDAP software.
I also advise reading:
<http://www.openldap.org/faq/data/cache/1456.html>
Regards,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 9 months
dynlist-overlay and requesting an attribute
by Wilhelm Meier
Hi,
I have a problem with the dynlist overlay:
when I request all attributes of an object, the dynlist expansion is
done:
kmux-ldap:~# ldapsearch -LLL -x '(uid=kmux.admin)'
dn: uid=kmux.admin,ou=Benutzer,dc=kmux,dc=de
objectClass: inetLocalMailRecipient
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: kmuxAccount
labeledURI: ldap:///ou=Gruppen,dc=kmux,dc=de??one?
(&(objectClass=posixGroup)(memberUid=kmux.admin))
labeledURI: ldap:///ou=Gruppen,dc=kmux,dc=de??one?
(&(objectClass=posixGroup)(gidNumber=999))
member: cn=VPN,ou=Gruppen,dc=kmux,dc=de
member: cn=Drucker,ou=Gruppen,dc=kmux,dc=de
member: cn=Hauptbenutzer,ou=Gruppen,dc=kmux,dc=de
member: cn=CMS,ou=Gruppen,dc=kmux,dc=de
member: cn=ERP,ou=Gruppen,dc=kmux,dc=de
member: cn=cdrom,ou=Gruppen,dc=kmux,dc=de
member: cn=plugdev,ou=Gruppen,dc=kmux,dc=de
member: cn=audio,ou=Gruppen,dc=kmux,dc=de
member: cn=Administratoren,ou=Gruppen,dc=kmux,dc=de
(excuse for the line wrapping)
(some attributes are not shown)
If I request the attribute "member" I get an empty search result:
kmux-ldap:~# ldapsearch -LLL -x '(uid=kmux.admin)' member
dn: uid=kmux.admin,ou=Benutzer,dc=kmux,dc=de
Any hints?
--
Wilhelm
14 years, 9 months
Replication failling and not retrieving all entries
by Gustavo Lima
Hi All,
I have a big network with one master openldap 2.3.30 running on Debian Etch
fully updated.
I have other 27 consumers using replication on refresAndPersist type working
100% fine with one exception.
This exception have the same configurations off all other servers. I have
already changed the WAN provider (it was planned to change it), the switch
where the server is connected, network cable, the hole server and nothing
seems to change the strange behavior.
What happens is this specific machine does not receive all the 8323 objects
from the master. On debug mode it does not show any error. The openldap
simply thinks the replica have finished. Then some seconds later it start
replicating again but not from the stop point. The best that I have is 5217
objects replicated.
My conf on this server was copied from another working installation and then
changed the "rid".
This is how my conf is:
#######################################################################
# SCHEMAS
#######################################################################
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
#######################################################################
# GERAL
#######################################################################
#allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 4 64 16384
sizelimit 20000
tool-threads 1
#######################################################################
# MODULOS
#######################################################################
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov
#######################################################################
# BACKEND
#######################################################################
backend bdb
checkpoint 512 30
#######################################################################
# DATABASE
#######################################################################
database bdb
suffix "dc=company"
rootdn "cn=replicator,dc=company"
rootpw {SSHA}password
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
lastmod on
######################################################################
# ACL
######################################################################
access to dn.base=""
by * read
access to *
by dn="cn=admin,dc=company" write
by dn="cn=replicator,dc=company" write
by * read
access to
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=company" write
by dn="cn=replicator,dc=company" write
by self write
by anonymous auth
by * none
######################################################################
# TLS
######################################################################
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCACertificateFile /etc/ldap/certs/cacert.pem
TLSCertificateFile /etc/ldap/certs/servercrt.pem
TLSCertificateKeyFile /etc/ldap/certs/serverkey.pem
TLSVerifyClient never
######################################################################
# REPLICACAO
######################################################################
syncrepl rid=51
provider=ldaps://ldap
bindmethod=simple
binddn="cn=replicator,dc=company"
credentials=password
searchbase="dc=company"
schemachecking=off
type=refreshAndPersist
retry="30 30 600 72"
######################################################################
# Indices
######################################################################
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index memberUid eq,subinitial
index mail eq,subinitial
index givenname eq,subinitial
index uidNumber eq
index gidNumber eq
index entryUUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq
index sambaGroupType eq
index sambaSIDList eq
index uniqueMember eq
index entryCSN eq
When the replication stops the log just shows:
Dec 8 15:55:09 mg slapd[6529]: syncrepl_entry:
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Dec 8 15:55:09 mg slapd[6529]: bdb_idl_fetch_key: [7cdee34d]
Dec 8 15:55:09 mg slapd[6529]: send_ldap_result: err=0 matched="" text=""
Dec 8 15:55:09 mg slapd[6529]: syncrepl_entry: be_search (0)
Dec 8 15:55:09 mg slapd[6529]:
syncrepl_entry: uid=pr0239$,ou=maquinas,dc=matriz,dc=company
Dec 8 15:55:09 mg slapd[6529]: do_syncrep2: LDAP_RES_SEARCH_RESULT
Dec 8 15:55:09 mg slapd[6529]: connection_get(39)
Note that the first line is saying LDAP_SYNC_ADD and not LDAP_SYNC_MODIFY
once this user is already loaded.
Anyone can help us with this one?
Thanx in advance.
Gustavo
14 years, 9 months
