openldap-software December 2008

openldap-software@openldap.org

45 participants
42 discussions

Problem deleting olcLimits with OpenLDAP 2.3.39
by openldap.lists＠frei-family.ch 08 Dec '08

08 Dec '08

Hi all, We have a problem with modifying the multivalue attribute "olcLimits". No matter if I try a "delete" or "replace" it always throws the error: ldapmodify: Internal (implementation specific) error (80). If I do the same on olcAccess (which is a multivalue attribute as well) it works. We are using an 2.3.39 server. I tried the operation below with ldapmodify 2.3.39 and 2.3.34. Both Versions of ldapmodify lead to the same error. $ ldapmodify -x -D "cn=manager,cn=config" -w password dn: olcDatabase={3}hdb,cn=config changetype: modify delete: olcAccess modifying entry "olcDatabase={3}hdb,cn=config" dn: olcDatabase={3}hdb,cn=config changetype: modify delete: olcLimits modifying entry "olcDatabase={3}hdb,cn=config" ldapmodify: Internal (implementation specific) error (80) -------- log (loglevel = -1) for attempted deletion of olcLimits ... Dec 4 10:04:51 z000572 slapd[2676]: [ID 552196 local4.debug] oc_check_allowed type "modifiersName" Dec 4 10:04:51 z000572 slapd[2676]: [ID 552196 local4.debug] oc_check_allowed type "modifyTimestamp" Dec 4 10:04:51 z000572 slapd[2676]: [ID 131099 local4.debug] send_ldap_result: conn=15 op=2 p=3 Dec 4 10:04:51 z000572 slapd[2676]: [ID 291653 local4.debug] send_ldap_result: err=80 matched="" text="" Dec 4 10:04:51 z000572 slapd[2676]: [ID 324658 local4.debug] send_ldap_response: msgid=3 tag=103 err=80 Dec 4 10:04:51 z000572 slapd[2676]: [ID 588225 local4.debug] conn=15 op=2 RESULT tag=103 err=80 text= Dec 4 10:04:51 z000572 slapd[2676]: [ID 601841 local4.debug] daemon: activity on 1 descriptor Dec 4 10:04:51 z000572 slapd[2676]: [ID 802679 local4.debug] daemon: activity on: Dec 4 10:04:51 z000572 slapd[2676]: [ID 522297 local4.debug] 18r Dec 4 10:04:51 z000572 slapd[2676]: [ID 100000 local4.debug] Dec 4 10:04:51 z000572 slapd[2676]: [ID 694296 local4.debug] daemon: read activity on 18 Dec 4 10:04:51 z000572 slapd[2676]: [ID 525477 local4.debug] connection_get(18) Dec 4 10:04:51 z000572 slapd[2676]: [ID 611214 local4.debug] connection_get(18): got connid=15 Dec 4 10:04:51 z000572 slapd[2676]: [ID 138202 local4.debug] connection_read(18): checking for input on id=15 Dec 4 10:04:51 z000572 slapd[2676]: [ID 812316 local4.debug] ber_get_next on fd 18 failed errno=0 (Error 0) Dec 4 10:04:51 z000572 slapd[2676]: [ID 549122 local4.debug] connection_read(18): input error=-2 id=15, closing. Dec 4 10:04:51 z000572 slapd[2676]: [ID 685210 local4.debug] do_unbind Dec 4 10:04:51 z000572 slapd[2676]: [ID 734893 local4.debug] connection_closing: readying conn=15 sd=18 for close Dec 4 10:04:51 z000572 slapd[2676]: [ID 218904 local4.debug] conn=15 op=3 UNBIND Dec 4 10:04:51 z000572 slapd[2676]: [ID 959580 local4.debug] connection_close: deferring conn=15 sd=-1 Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=0 tvp=zero Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=0 tvp=zero Dec 4 10:04:51 z000572 slapd[2676]: [ID 925745 local4.debug] connection_resched: attempting closing conn=15 sd=18 Dec 4 10:04:51 z000572 slapd[2676]: [ID 601841 local4.debug] daemon: activity on 1 descriptor Dec 4 10:04:51 z000572 slapd[2676]: [ID 330685 local4.debug] connection_close: conn=15 sd=-1 Dec 4 10:04:51 z000572 slapd[2676]: [ID 609413 local4.debug] daemon: waked Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=0 tvp=zero Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=0 tvp=zero Dec 4 10:04:51 z000572 slapd[2676]: [ID 423323 local4.debug] daemon: removing 18 Dec 4 10:04:51 z000572 slapd[2676]: [ID 952275 local4.debug] conn=15 fd=18 closed ... Is this a known problem or are we doing something completely wrong ? Thanks for any hints and pointers Christoph

2 1

dublin core (dcSubject, dcTitle, etc.,)
by Brett ＠Google 06 Dec '08

06 Dec '08

Hello, I was looking for the dublin core schema for openldap (metadata for ontologies / search collections) ? I have found http://tools.ietf.org/html/draft-hamilton-dcxl-02 which defines oids and ldap schema for the 15 dublin core attributes, but as an expired ietf draft. I created a test dublincore.schema from this. The draft is http://tools.ietf.org/html/draft-hamilton-dcxl-02 which expired in 1998, unless there is newer one (although there are other examples of "draft" standarts in wide use) ? Anyone have any more recent information as to wether some form this draft was ever released as a RFC ? Alternatively, is there a better / more standard way of storing dublin core metadata in openldap ? Cheers Brett

2 1

slapo-memberof and posixGroup / posixAccount
by Wilhelm Meier 05 Dec '08

05 Dec '08

Hi, I wonder if it would be possible to manage a memberOf-attribute for posixAccount dynamically with slapo-memberOf using posixGroup and the memberUid-attribute. I know the memberUid isn't DN-format, so there may be problems. Has anyone tried this? Or is there another way to (dynamically) provide the reverse-mapping of the memberUid in posixGroup to memberOf in posixAccount? -- Wilhelm

1 0

TLS client certificates and memory use
by David Hawes 04 Dec '08

04 Dec '08

I was doing some testing and noticed that when I search for entries using TLS, significantly more memory is used when using client certificates than without them. In fact, memory will eventually be exhausted if the searches are performed indefinitely. Without using them, memory use stays (around) the same value. I stripped down the config, removed all ACLs except one (to disallow access), and started with an empty database, and get the same results. I've noticed this in 2.4.11, 2.4.12, and 2.4.13 with OpenSSL 0.9.8i. I do not notice it with an old 2.3.39 instance. Has anyone noticed anything similar, or can anyone reproduce this? Dave

3 6

acls and restricting permissions
by Brett ＠Google 04 Dec '08

04 Dec '08

Hi All, I was wondering how i go about giving LESS access than the default ACL rule. Lets assume some default permissions set from the FAQ-o-matic : access to attr=userpassword by self =xw by anonymous auth access to * by self write by users read This allows the "standard user" to read all attributes, and write thier own details. Assuming we add to the above a user that has LESS access than the default ie: access to attr=c,o,ou,cn,sn,givenName,mail by dn.exact=cn=limited,dc=example,dc=com by * none (or break) This literally wont work as intended, because even if the above does not match, the access to * by self write by users read Will always give users read by default. Any ideas ? Cheers Brett

4 5

"make test" hangs indefinitely
by Drew Leske 04 Dec '08

04 Dec '08

Hi all, Apologies if this has been asked and answered already. I did a number of searches for this problem and found nothing. When I build OpenLDAP it hangs on "make test". This has happened on two separate hosts, one AMD64 running Gentoo and the other a CentOS 5 distribution running on Intel. I am trying to build OpenLDAP 2.4.13 (have also tried 2.4.12) against BDB 4.7.25. BDB is built with a specific prefix and that's all: /usr/local/db-4.7.25. It builds without error or hiccup but unfortunately there is no test target. OpenLDAP is built with the following: CPPFLAGS="-I/usr/local/db-4.7.25/include" LDFLAGS="-L/usr/local/db-4.7.25/lib -Wl,--rpath -Wl,/usr/local/db-4.7.25/lib" ./configure --enable-syslog --enable-slapd --enable-crypt --enable-bdb --with-tls --prefix=/usr/local/openldap-2.4.13 && make depend && make && make test On the make test it gets to test001-slapadd and just sits there. Here's how that looks: [...] >>>>> Test succeeded >>>>> ./scripts/test000-rootdse completed OK. >>>>> Starting test001-slapadd ... running defines.sh Running slapadd to build slapd database... [...eventually I ctrl-c] This will sit there indefinitely. I changed the test script to use -d -1 for slapadd and the end of that output is below. On these systems I have another instance of BDB but I'm pretty clear to OpenLDAP about which to use. Perhaps I am missing something. Given this is happening to me on two different servers and I don't see anybody else having this problem I must be b0rking something myself, and consistently. Can anybody point out to me what I'm doing wrong? I am currently trying a build of BDB 4.6.21 and we'll see how that goes. Thanks, Drew. >>> dnPrettyNormal: <ou=Groups,dc=example,dc=com> <<< dnPrettyNormal: <ou=Groups,dc=example,dc=com>, <ou=groups,dc=example,dc=com> <= str2entry(ou=Groups,dc=example,dc=com) -> 0x92e7f9c oc_check_required entry (ou=Groups,dc=example,dc=com), objectClass "organizationalUnit" oc_check_allowed type "objectClass" oc_check_allowed type "ou" oc_check_allowed type "structuralObjectClass" => bdb_tool_entry_put( -1, "ou=Groups,dc=example,dc=com" ) => bdb_dn2id("ou=groups,dc=example,dc=com") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) => bdb_dn2id_add 0x3: "ou=groups,dc=example,dc=com" bdb_idl_insert_key: 3 %dc=example,dc=com <= bdb_dn2id_add 0x3: 0 => index_entry_add( 3, "ou=Groups,dc=example,dc=com" ) => key_change(ADD,3) bdb_idl_insert_key: 3 [9bee355f] <= key_change 0 => key_change(ADD,3) bdb_idl_insert_key: 3 [0096defd] <= key_change 0 <= index_entry_add( 3, "ou=Groups,dc=example,dc=com" ) success => entry_encode(0x00000003): ou=Groups,dc=example,dc=com => str2entry: "dn: ou=Alumni Association,ou=People,dc=example,dc=com objectclass: organizationalUnit ou: Alumni Association " >>> dnPrettyNormal: <ou=Alumni Association,ou=People,dc=example,dc=com> <<< dnPrettyNormal: <ou=Alumni Association,ou=People,dc=example,dc=com>, <ou=alumni association,ou=people,dc=example,dc=com> <= str2entry(ou=Alumni Association,ou=People,dc=example,dc=com) -> 0x92e7f9c oc_check_required entry (ou=Alumni Association,ou=People,dc=example,dc=com), objectClass "organizationalUnit" oc_check_allowed type "objectClass" oc_check_allowed type "ou" oc_check_allowed type "structuralObjectClass" => bdb_tool_entry_put( -1, "ou=Alumni Association,ou=People,dc=example,dc=com" ) => bdb_dn2id("ou=people,dc=example,dc=com") <= bdb_dn2id: got id=0x2 => bdb_dn2id("ou=alumni association,ou=people,dc=example,dc=com") make[2]: *** [bdb-yes] Interrupt make[1]: *** [test] Interrupt make: *** [test] Interrupt

2 2

Re: Multi-master doesn't replicate deletes under certain circumstances.
by Jose Ildefonso Camargo Tolosa 03 Dec '08

03 Dec '08

Hi! On Wed, Dec 3, 2008 at 3:16 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, December 03, 2008 9:25 AM +1930 Jose Ildefonso Camargo > Tolosa <ildefonso.camargo(a)gmail.com> wrote: > >> Hi! >> >> I just configured multi-master replication (with N=3) for testing >> purposes, and I just found an annoying problem, under these >> conditions: >> >> 1. Configure a N number of "masters", and have them replicate happily >> (this is important). >> 2. Stop slapd service on all of the servers. >> 3. Start slapd service on any number of servers < N (ie, leave at >> least one stopped). >> 4. Delete any entry (yes, it only fails with deletes, you can combine >> changes: modify, add, and delete, and only deletes will fail to >> replicate). >> 5. Stop slapd service on *all of the servers again* (this is the most >> important part). >> 6. Star slapd service on all the servers. >> >> You will see that, on the servers that you left down on step 3, the >> deleted entries are still present. >> >> If you leave at least one server up, it replicates just fine, the >> problem is when you stop all of the masters. >> >> More info: >> >> OpenLDAP version: 2.4.13 >> OS: Debian GNU/Linux Etch >> Overlays: smbk5pwd (only samba enabled), syncprov (off course). >> >> Any ideas? If you need more info, just ask. > > I suggest you file an ITS. Ok. > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 1

extracting X509 certificate from LDAP connection with openldap public API
by Guillaume Rousse 03 Dec '08

03 Dec '08

Hello list. I'm trying to extend nagios check_ldap plugin to also check LDAP certificate expiration. Equivalent code in check_http work directly at socket level, and is not directly transposable, as check_ldap works at higher level, relying on openldap libraries to manage its connection. The code manipulates an opaque LDAP *ld connection handle. I had a quick look at openldap code, in libraries/libldap/tls.c, to see how this handle could be used to access the x509 certificate: LDAPConn *conn = NULL; Sockbuf *sb = NULL; SSL *ssl = NULL; X509 *certificate = NULL; conn = ld->ld_defconn; sb = conn->lconn_sb; ssl = ldap_pvt_tls_sb_ctx(sb); certificate = tls_get_cert(ssl); However, all those types are defined in libraries/libldap/ldap-int.h header, meaning those are for internal use only. I had a quick look at IETF LDAP C draft found in openldap sources, but I couldn't find anything related to the topic. So, what's the proper way for doing this ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

2 2

Re: bdb_search: 112 does not match filter
by Net Warrior 02 Dec '08

02 Dec '08

Hi Quanah My bad, did not reindex the database, sorry, I'll do that right now and see what happens. and yes, it's and old release, I'm aware of that, and we should upgrade as soon as posible. Thanks for your time and support. Best regards. 2008/11/11, Quanah Gibson-Mount <quanah(a)zimbra.com>: > > --On Tuesday, November 11, 2008 6:12 PM -0200 Net Warrior < > netwarrior863(a)gmail.com> wrote: > > Hi there guys. >> >> A costumer of us were having problems with the slapd service ( unexpected >> hangs ), it's an ubuntu installation running slapd 2.2.26 >> In the logs I noticed that there were no indexes available, the >> index_param failed were reported in the logs, the systems uses ldap for >> user authentication and nothing else. >> >> After that, I added the following in the slapd.conf, >> >> index cn,gidNumber,memberUid,uid eq >> index uniqueMember eq >> index uidNumber eq >> >> The performance where better and there were no more hangs, but I'm >> getting the following error. >> and the user cannot authenticate, so I went back to the original >> configuration without indexes. >> > > Did you reindex the database after you added the indices via slapindex > while the server was offline, as is required when you add indices to > existing objects? > > And, I'll note that OpenLDAP 2.2 is very old and no longer supported. > Numerous bugs have been fixed since that release, even in the OpenLDAP 2.2 > series. > > --Quanah > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

3 3

Multi-master doesn't replicate deletes under certain circumstances.
by Jose Ildefonso Camargo Tolosa 02 Dec '08

02 Dec '08

Hi! I just configured multi-master replication (with N=3) for testing purposes, and I just found an annoying problem, under these conditions: 1. Configure a N number of "masters", and have them replicate happily (this is important). 2. Stop slapd service on all of the servers. 3. Start slapd service on any number of servers < N (ie, leave at least one stopped). 4. Delete any entry (yes, it only fails with deletes, you can combine changes: modify, add, and delete, and only deletes will fail to replicate). 5. Stop slapd service on *all of the servers again* (this is the most important part). 6. Star slapd service on all the servers. You will see that, on the servers that you left down on step 3, the deleted entries are still present. If you leave at least one server up, it replicates just fine, the problem is when you stop all of the masters. More info: OpenLDAP version: 2.4.13 OS: Debian GNU/Linux Etch Overlays: smbk5pwd (only samba enabled), syncprov (off course). Any ideas? If you need more info, just ask. Thanks in advance, Ildefonso Camargo

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2008