openldap-software December 2008

openldap-software@openldap.org

45 participants
42 discussions

Fwd: how to configure tls and ldap
by Alfonsas Stonis 11 Dec '08

11 Dec '08

Hi, Thanks for replay. I copied them to this directory. There should be no problems with permissions. The thing is that when I first got error message I changed permission to by giving all rights to everyone. It did not changed a thing. Alfas 2008/12/11 Markus Wernig <listener(a)wernig.net> Hi > > You have either > - set permissions on the certificates/keys that do not allow slapd to read > them (check also directory permissions). > or > - /etc/ldap/ssl/demoCA/newreq.pem is not a RSA private key. This depends on > how you created your certificate. If you followed the instructions in > http://www.openldap.org/faq/data/cache/185.html, you should have your > certificates and keys in a separate folder. The demoCA component in your > path names shows that you seem to have created the CA under > /etc/ldap/ssl/demoCA, which was probably not what you wanted (hint: don't > run CA.sh from /etc/ldap/ssl). > > Please follow the instructions more closely and locate the following three > files and verify that slapd has read access to them: > > 1) CA certificate > 2) slapd's private key > 3) slapd's certificate > > kind regards > /markus > > > Alfonsas Stonis wrote: > > Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 >> >

1 0

Unable do slapadd a LDIF dump from slapd 2.2.6 to slapd 2.4.9
by Markus Wernig 11 Dec '08

11 Dec '08

Hello all! In the process of upgrading slapd from 2.2.6 to 2.4.9 (ubuntu 6.06 to 8.04), I get the following error when trying to import the LDIF dump from the old server: # slapadd -b "o=Company Name,c=CH" -l dump.from.2.2.6.ldif slapadd: dn="o=Company Name,c=CH" (line=1): (65) no structural object class provided (same result if I skip the -b "o=Company Name,c=CH") slapd.conf has not been altered during the upgrade and contains: [...] include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema [...] database bdb suffix "O=Company Name, C=CH" checkpoint 512 30 directory "/var/lib/ldap" rootdn "cn=root, O=Company Name, C=CH" rootpw XXX index objectClass eq [...] The first entry in the LDIF dump is: dn: o=Company Name,c=CH objectClass: top entryUUID: ... creatorsName: cn=root,o=Company Name,c=CH modifiersName: cn=root,o=Company Name,c=CH createTimestamp: 20071214103903Z modifyTimestamp: 20071214103903Z entryCSN: 20071214103903Z#000001#00#000000 (This directory contains only x.509 CRLs and certificates.) From the error I assumed that for some reason the "top" objectclass was not correctly defined. In core.schema I found the following new entry from RFC2256, which was commented out: #objectclass ( 2.5.6.0 NAME 'top' # DESC 'RFC2256: top of the superclass chain' # ABSTRACT # MUST objectClass ) After uncommenting, though, the error is: slapadd -b "o=Company Name,c=CH" -l dump.from.2.2.6.ldif /etc/ldap/schema/core.schema: line 366 objectclass: Duplicate objectClass: "2.5.6.0" slapadd: bad configuration file! Yet, no other schema file contains any definition for 2.5.6.0, so I assume that it's compiled into slapd. This leaves me stuck, scratching my head, and extremely grateful for any hint on where to look further. Thank you all krgds /markus

5 5

Updating a private schema (cn=config)?
by Andrzej Jan Taramina 10 Dec '08

10 Dec '08

I need to update one of our internal LDAP schemas, but am not sure of the best process to use. Haven't managed to find any info on this, especially using the newer cn=config configuration stuff. Using the latest Ubuntu Intrepid OpenLDAP version (2.4.11) I've tried deleting the schema, but keep getting a "server won't allow" error. Deleting all my LDAP entries doesn't help that. It seems that once you have a schema defined you can't delete it using a GUI tool like Luma nor using LDIF directives with OpenLDAP running. Do I just shut down my LDAP server, and delete the entry in the cn=config directory, then re-install the new schema version? What about any entries that depend on the schema? Will they be affected...that is, do I need to delete them all and re-add them? I guess if I knew when a schema is actually used (eg. only at add/modify times....or are there links to from the entries that are used at other times?) it would help? Thanks for the advice... -- Andrzej Taramina Chaeron Corporation: Enterprise System Solutions http://www.chaeron.com

3 2

2.4.13 update troubles
by Emmanuel Dreyfus 10 Dec '08

10 Dec '08

Hello Upgrading to 2.4.13 is troublesome at mine slapadd eats the top object, then a bunch of children organizationalUnit, and it hangs on the first inetOrgPerson. A kernel trace shows that slapd loops on a select(0, NULL, NULL NULL, &something) system call. With the -q flag, slapadd manages to load the whole tree. But slapd will hang in the same null select loop on the first search request. I had to downgrade back to 2.4.11, as 2.4.13 was just unable to answer requests. It also seems slapd is still unable to reload an accesslog database, but IIRC? this is an old problem: str2entry: invalid value for attributeType reqControls #0 (syntax 1.3.6.1.4.1.4203.666.11.5.3.1) slapadd: could not parse entry (line=41025) -- Emmanuel Dreyfus manu(a)netbsd.org

3 4

Re: syncrepl breaks on fax attribute removal
by Will Nowak 09 Dec '08

09 Dec '08

On this subject, has anyone packaged 2.4.13 for Ubuntu Hardy? We've got to upgrade our cluster from 2.4.9 -- I am happy to do this myself, but if someone else has... Thanks, -Will On Tue, Dec 9, 2008 at 1:08 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, December 09, 2008 5:57 PM +0000 Emmanuel Dreyfus > <manu(a)netbsd.org> wrote: > >> On Tue, Dec 09, 2008 at 09:52:14AM -0800, Quanah Gibson-Mount wrote: >>>> >>>> It's 2.4.11. A bit behind, I will upgrade to have this fixed. >>> >>> Please keep replies on the list. :) >> >> Sorry. >> >>> It was fixed in 2.4.13: >>> Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781) >> >> Is that a master or replica bug? Which one must be upgraded in order >> to have the problem addressed? > > slapo-syncprov is (generally) the master bits. So this would be a replica > side fix. Of course, there were plenty of fixes to slapo-syncprov too by > 2.4.13, so you may want to upgrade both. :P > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Re: syncrepl breaks on fax attribute removal
by Quanah Gibson-Mount 09 Dec '08

09 Dec '08

--On Tuesday, December 09, 2008 5:46 PM +0000 Emmanuel Dreyfus <manu(a)netbsd.org> wrote: > On Tue, Dec 09, 2008 at 09:43:50AM -0800, Quanah Gibson-Mount wrote: >> What release? I thought this was fixed. > > It's 2.4.11. A bit behind, I will upgrade to have this fixed. Please keep replies on the list. :) It was fixed in 2.4.13: Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

2 2

syncrepl breaks on fax attribute removal
by Emmanuel Dreyfus 09 Dec '08

09 Dec '08

Hello facsimileTelephoneNumber has no equality matching rule. This makes it a bit difficult to remove. ldapvi will compain because: ldap_modify: Inappropriate matching (18) additional info: modify/delete: facsimileTelephoneNumber: no equality matching rule Using ldapmodify, it is possible to delete all facsimileTelephoneNumber attributes, but then, replicas get out of sync: null_callback : error code 0x12 syncrepl_entry: rid=217 be_modify failed (18) do_syncrepl: rid=217 retrying I have to destroy the replicas database and get the resync from scratch. Kind of silly, isn't it? Is that issue known? -- Emmanuel Dreyfus manu(a)netbsd.org

2 1

Re: Replication failling and not retrieving all entries
by Quanah Gibson-Mount 09 Dec '08

09 Dec '08

--On Tuesday, December 09, 2008 8:18 AM -0200 Gustavo Lima <gustavopml(a)gmail.com> wrote: > > > 2008/12/8, Quanah Gibson-Mount <quanah(a)zimbra.com>: > > --On Monday, December 08, 2008 4:21 PM -0200 Gustavo Lima > <gustavopml(a)gmail.com> wrote: > > > > Hi All, > > Anyone can help us with this one? > > > Use a current release. > > > > Unfortunally I do not have this option. Only on Debian Lenny release. Any > other clue? No. Keep replies to the list. You asked for help with what to do, and I gave you the only really usable advice. I suggest you go and read the changelogs, for example, between the release you are on, and the final OpenLDAP 2.3 series release, OpenLDAP 2.3.43 release. There were many major fixes to replication that occurred. The release in lenny unfortunately has a number of bugs. If what you want is to run a production LDAP service, you're going to need to know how to maintain the LDAP software. I also advise reading: <http://www.openldap.org/faq/data/cache/1456.html> Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

dynlist-overlay and requesting an attribute
by Wilhelm Meier 08 Dec '08

08 Dec '08

Hi, I have a problem with the dynlist overlay: when I request all attributes of an object, the dynlist expansion is done: kmux-ldap:~# ldapsearch -LLL -x '(uid=kmux.admin)' dn: uid=kmux.admin,ou=Benutzer,dc=kmux,dc=de objectClass: inetLocalMailRecipient objectClass: sambaSamAccount objectClass: shadowAccount objectClass: posixAccount objectClass: inetOrgPerson objectClass: kmuxAccount labeledURI: ldap:///ou=Gruppen,dc=kmux,dc=de??one? (&(objectClass=posixGroup)(memberUid=kmux.admin)) labeledURI: ldap:///ou=Gruppen,dc=kmux,dc=de??one? (&(objectClass=posixGroup)(gidNumber=999)) member: cn=VPN,ou=Gruppen,dc=kmux,dc=de member: cn=Drucker,ou=Gruppen,dc=kmux,dc=de member: cn=Hauptbenutzer,ou=Gruppen,dc=kmux,dc=de member: cn=CMS,ou=Gruppen,dc=kmux,dc=de member: cn=ERP,ou=Gruppen,dc=kmux,dc=de member: cn=cdrom,ou=Gruppen,dc=kmux,dc=de member: cn=plugdev,ou=Gruppen,dc=kmux,dc=de member: cn=audio,ou=Gruppen,dc=kmux,dc=de member: cn=Administratoren,ou=Gruppen,dc=kmux,dc=de (excuse for the line wrapping) (some attributes are not shown) If I request the attribute "member" I get an empty search result: kmux-ldap:~# ldapsearch -LLL -x '(uid=kmux.admin)' member dn: uid=kmux.admin,ou=Benutzer,dc=kmux,dc=de Any hints? -- Wilhelm

2 4

Replication failling and not retrieving all entries
by Gustavo Lima 08 Dec '08

08 Dec '08

Hi All, I have a big network with one master openldap 2.3.30 running on Debian Etch fully updated. I have other 27 consumers using replication on refresAndPersist type working 100% fine with one exception. This exception have the same configurations off all other servers. I have already changed the WAN provider (it was planned to change it), the switch where the server is connected, network cable, the hole server and nothing seems to change the strange behavior. What happens is this specific machine does not receive all the 8323 objects from the master. On debug mode it does not show any error. The openldap simply thinks the replica have finished. Then some seconds later it start replicating again but not from the stop point. The best that I have is 5217 objects replicated. My conf on this server was copied from another working installation and then changed the "rid". This is how my conf is: ####################################################################### # SCHEMAS ####################################################################### include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/samba.schema ####################################################################### # GERAL ####################################################################### #allow bind_v2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 4 64 16384 sizelimit 20000 tool-threads 1 ####################################################################### # MODULOS ####################################################################### modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov ####################################################################### # BACKEND ####################################################################### backend bdb checkpoint 512 30 ####################################################################### # DATABASE ####################################################################### database bdb suffix "dc=company" rootdn "cn=replicator,dc=company" rootpw {SSHA}password directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 lastmod on ###################################################################### # ACL ###################################################################### access to dn.base="" by * read access to * by dn="cn=admin,dc=company" write by dn="cn=replicator,dc=company" write by * read access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=company" write by dn="cn=replicator,dc=company" write by self write by anonymous auth by * none ###################################################################### # TLS ###################################################################### TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCertificateFile /etc/ldap/certs/servercrt.pem TLSCertificateKeyFile /etc/ldap/certs/serverkey.pem TLSVerifyClient never ###################################################################### # REPLICACAO ###################################################################### syncrepl rid=51 provider=ldaps://ldap bindmethod=simple binddn="cn=replicator,dc=company" credentials=password searchbase="dc=company" schemachecking=off type=refreshAndPersist retry="30 30 600 72" ###################################################################### # Indices ###################################################################### index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index memberUid eq,subinitial index mail eq,subinitial index givenname eq,subinitial index uidNumber eq index gidNumber eq index entryUUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass eq index sambaGroupType eq index sambaSIDList eq index uniqueMember eq index entryCSN eq When the replication stops the log just shows: Dec 8 15:55:09 mg slapd[6529]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Dec 8 15:55:09 mg slapd[6529]: bdb_idl_fetch_key: [7cdee34d] Dec 8 15:55:09 mg slapd[6529]: send_ldap_result: err=0 matched="" text="" Dec 8 15:55:09 mg slapd[6529]: syncrepl_entry: be_search (0) Dec 8 15:55:09 mg slapd[6529]: syncrepl_entry: uid=pr0239$,ou=maquinas,dc=matriz,dc=company Dec 8 15:55:09 mg slapd[6529]: do_syncrep2: LDAP_RES_SEARCH_RESULT Dec 8 15:55:09 mg slapd[6529]: connection_get(39) Note that the first line is saying LDAP_SYNC_ADD and not LDAP_SYNC_MODIFY once this user is already loaded. Anyone can help us with this one? Thanx in advance. Gustavo

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2008