Problem deleting olcLimits with OpenLDAP 2.3.39
by openldap.lists@frei-family.ch
Hi all,
We have a problem with modifying the multivalue attribute "olcLimits".
No matter if I try a "delete" or "replace" it always throws the error:
ldapmodify: Internal (implementation specific) error (80). If I do the
same on olcAccess (which is a multivalue attribute as well) it works.
We are using an 2.3.39 server. I tried the operation below with
ldapmodify 2.3.39 and 2.3.34. Both Versions of ldapmodify lead to the
same error.
$ ldapmodify -x -D "cn=manager,cn=config" -w password
dn: olcDatabase={3}hdb,cn=config
changetype: modify
delete: olcAccess
modifying entry "olcDatabase={3}hdb,cn=config"
dn: olcDatabase={3}hdb,cn=config
changetype: modify
delete: olcLimits
modifying entry "olcDatabase={3}hdb,cn=config"
ldapmodify: Internal (implementation specific) error (80)
-------- log (loglevel = -1) for attempted deletion of olcLimits
...
Dec 4 10:04:51 z000572 slapd[2676]: [ID 552196 local4.debug]
oc_check_allowed type "modifiersName"
Dec 4 10:04:51 z000572 slapd[2676]: [ID 552196 local4.debug]
oc_check_allowed type "modifyTimestamp"
Dec 4 10:04:51 z000572 slapd[2676]: [ID 131099 local4.debug]
send_ldap_result: conn=15 op=2 p=3
Dec 4 10:04:51 z000572 slapd[2676]: [ID 291653 local4.debug]
send_ldap_result: err=80 matched="" text=""
Dec 4 10:04:51 z000572 slapd[2676]: [ID 324658 local4.debug]
send_ldap_response: msgid=3 tag=103 err=80
Dec 4 10:04:51 z000572 slapd[2676]: [ID 588225 local4.debug] conn=15
op=2 RESULT tag=103 err=80 text=
Dec 4 10:04:51 z000572 slapd[2676]: [ID 601841 local4.debug] daemon:
activity on 1 descriptor
Dec 4 10:04:51 z000572 slapd[2676]: [ID 802679 local4.debug] daemon:
activity on:
Dec 4 10:04:51 z000572 slapd[2676]: [ID 522297 local4.debug] 18r
Dec 4 10:04:51 z000572 slapd[2676]: [ID 100000 local4.debug]
Dec 4 10:04:51 z000572 slapd[2676]: [ID 694296 local4.debug] daemon:
read activity on 18
Dec 4 10:04:51 z000572 slapd[2676]: [ID 525477 local4.debug]
connection_get(18)
Dec 4 10:04:51 z000572 slapd[2676]: [ID 611214 local4.debug]
connection_get(18): got connid=15
Dec 4 10:04:51 z000572 slapd[2676]: [ID 138202 local4.debug]
connection_read(18): checking for input on id=15
Dec 4 10:04:51 z000572 slapd[2676]: [ID 812316 local4.debug]
ber_get_next on fd 18 failed errno=0 (Error 0)
Dec 4 10:04:51 z000572 slapd[2676]: [ID 549122 local4.debug]
connection_read(18): input error=-2 id=15, closing.
Dec 4 10:04:51 z000572 slapd[2676]: [ID 685210 local4.debug] do_unbind
Dec 4 10:04:51 z000572 slapd[2676]: [ID 734893 local4.debug]
connection_closing: readying conn=15 sd=18 for close
Dec 4 10:04:51 z000572 slapd[2676]: [ID 218904 local4.debug] conn=15
op=3 UNBIND
Dec 4 10:04:51 z000572 slapd[2676]: [ID 959580 local4.debug]
connection_close: deferring conn=15 sd=-1
Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon:
select: listen=7 active_threads=0 tvp=zero
Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon:
select: listen=8 active_threads=0 tvp=zero
Dec 4 10:04:51 z000572 slapd[2676]: [ID 925745 local4.debug]
connection_resched: attempting closing conn=15 sd=18
Dec 4 10:04:51 z000572 slapd[2676]: [ID 601841 local4.debug] daemon:
activity on 1 descriptor
Dec 4 10:04:51 z000572 slapd[2676]: [ID 330685 local4.debug]
connection_close: conn=15 sd=-1
Dec 4 10:04:51 z000572 slapd[2676]: [ID 609413 local4.debug] daemon: waked
Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon:
select: listen=7 active_threads=0 tvp=zero
Dec 4 10:04:51 z000572 slapd[2676]: [ID 538834 local4.debug] daemon:
select: listen=8 active_threads=0 tvp=zero
Dec 4 10:04:51 z000572 slapd[2676]: [ID 423323 local4.debug] daemon:
removing 18
Dec 4 10:04:51 z000572 slapd[2676]: [ID 952275 local4.debug] conn=15
fd=18 closed
...
Is this a known problem or are we doing something completely wrong ?
Thanks for any hints and pointers
Christoph
14 years, 9 months
dublin core (dcSubject, dcTitle, etc.,)
by Brett @Google
Hello,
I was looking for the dublin core schema for openldap (metadata for
ontologies / search collections) ?
I have found http://tools.ietf.org/html/draft-hamilton-dcxl-02 which
defines oids and ldap schema for the 15 dublin core attributes, but as
an expired ietf draft. I created a test dublincore.schema from this.
The draft is http://tools.ietf.org/html/draft-hamilton-dcxl-02 which
expired in 1998, unless there is newer one (although there are other
examples of "draft" standarts in wide use) ?
Anyone have any more recent information as to wether some form this
draft was ever released as a RFC ?
Alternatively, is there a better / more standard way of storing dublin
core metadata in openldap ?
Cheers
Brett
14 years, 9 months
slapo-memberof and posixGroup / posixAccount
by Wilhelm Meier
Hi,
I wonder if it would be possible to manage a memberOf-attribute for
posixAccount dynamically with slapo-memberOf using posixGroup and the
memberUid-attribute.
I know the memberUid isn't DN-format, so there may be problems.
Has anyone tried this?
Or is there another way to (dynamically) provide the reverse-mapping
of the memberUid in posixGroup to memberOf in posixAccount?
--
Wilhelm
14 years, 9 months
TLS client certificates and memory use
by David Hawes
I was doing some testing and noticed that when I search for entries
using TLS, significantly more memory is used when using client
certificates than without them. In fact, memory will eventually be
exhausted if the searches are performed indefinitely. Without using
them, memory use stays (around) the same value.
I stripped down the config, removed all ACLs except one (to disallow
access), and started with an empty database, and get the same results.
I've noticed this in 2.4.11, 2.4.12, and 2.4.13 with OpenSSL 0.9.8i. I
do not notice it with an old 2.3.39 instance.
Has anyone noticed anything similar, or can anyone reproduce this?
Dave
14 years, 9 months
acls and restricting permissions
by Brett @Google
Hi All,
I was wondering how i go about giving LESS access than the default ACL rule.
Lets assume some default permissions set from the FAQ-o-matic :
access to attr=userpassword
by self =xw
by anonymous auth
access to *
by self write
by users read
This allows the "standard user" to read all attributes, and write
thier own details.
Assuming we add to the above a user that has LESS access than the default ie:
access to attr=c,o,ou,cn,sn,givenName,mail
by dn.exact=cn=limited,dc=example,dc=com
by * none (or break)
This literally wont work as intended, because even if the above does
not match, the
access to *
by self write
by users read
Will always give users read by default.
Any ideas ?
Cheers
Brett
14 years, 9 months
"make test" hangs indefinitely
by Drew Leske
Hi all,
Apologies if this has been asked and answered already. I did a number of searches for this problem and found nothing.
When I build OpenLDAP it hangs on "make test". This has happened on two separate hosts, one AMD64 running Gentoo and the other a CentOS 5 distribution running on Intel. I am trying to build OpenLDAP 2.4.13 (have also tried 2.4.12) against BDB 4.7.25.
BDB is built with a specific prefix and that's all: /usr/local/db-4.7.25. It builds without error or hiccup but unfortunately there is no test target.
OpenLDAP is built with the following:
CPPFLAGS="-I/usr/local/db-4.7.25/include" LDFLAGS="-L/usr/local/db-4.7.25/lib -Wl,--rpath -Wl,/usr/local/db-4.7.25/lib" ./configure --enable-syslog --enable-slapd --enable-crypt --enable-bdb --with-tls --prefix=/usr/local/openldap-2.4.13 && make depend && make && make test
On the make test it gets to test001-slapadd and just sits there. Here's how that looks:
[...]
>>>>> Test succeeded
>>>>> ./scripts/test000-rootdse completed OK.
>>>>> Starting test001-slapadd ...
running defines.sh
Running slapadd to build slapd database...
[...eventually I ctrl-c]
This will sit there indefinitely. I changed the test script to use -d -1 for slapadd and the end of that output is below.
On these systems I have another instance of BDB but I'm pretty clear to OpenLDAP about which to use. Perhaps I am missing something. Given this is happening to me on two different servers and I don't see anybody else having this problem I must be b0rking something myself, and consistently. Can anybody point out to me what I'm doing wrong?
I am currently trying a build of BDB 4.6.21 and we'll see how that goes.
Thanks,
Drew.
>>> dnPrettyNormal: <ou=Groups,dc=example,dc=com>
<<< dnPrettyNormal: <ou=Groups,dc=example,dc=com>, <ou=groups,dc=example,dc=com>
<= str2entry(ou=Groups,dc=example,dc=com) -> 0x92e7f9c
oc_check_required entry (ou=Groups,dc=example,dc=com), objectClass "organizationalUnit"
oc_check_allowed type "objectClass"
oc_check_allowed type "ou"
oc_check_allowed type "structuralObjectClass"
=> bdb_tool_entry_put( -1, "ou=Groups,dc=example,dc=com" )
=> bdb_dn2id("ou=groups,dc=example,dc=com")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
=> bdb_dn2id_add 0x3: "ou=groups,dc=example,dc=com"
bdb_idl_insert_key: 3 %dc=example,dc=com
<= bdb_dn2id_add 0x3: 0
=> index_entry_add( 3, "ou=Groups,dc=example,dc=com" )
=> key_change(ADD,3)
bdb_idl_insert_key: 3 [9bee355f]
<= key_change 0
=> key_change(ADD,3)
bdb_idl_insert_key: 3 [0096defd]
<= key_change 0
<= index_entry_add( 3, "ou=Groups,dc=example,dc=com" ) success
=> entry_encode(0x00000003): ou=Groups,dc=example,dc=com
=> str2entry: "dn: ou=Alumni Association,ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: Alumni Association
"
>>> dnPrettyNormal: <ou=Alumni Association,ou=People,dc=example,dc=com>
<<< dnPrettyNormal: <ou=Alumni Association,ou=People,dc=example,dc=com>, <ou=alumni association,ou=people,dc=example,dc=com>
<= str2entry(ou=Alumni Association,ou=People,dc=example,dc=com) -> 0x92e7f9c
oc_check_required entry (ou=Alumni Association,ou=People,dc=example,dc=com), objectClass "organizationalUnit"
oc_check_allowed type "objectClass"
oc_check_allowed type "ou"
oc_check_allowed type "structuralObjectClass"
=> bdb_tool_entry_put( -1, "ou=Alumni Association,ou=People,dc=example,dc=com" )
=> bdb_dn2id("ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x2
=> bdb_dn2id("ou=alumni association,ou=people,dc=example,dc=com")
make[2]: *** [bdb-yes] Interrupt
make[1]: *** [test] Interrupt
make: *** [test] Interrupt
14 years, 9 months
Re: Multi-master doesn't replicate deletes under certain circumstances.
by Jose Ildefonso Camargo Tolosa
Hi!
On Wed, Dec 3, 2008 at 3:16 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, December 03, 2008 9:25 AM +1930 Jose Ildefonso Camargo
> Tolosa <ildefonso.camargo(a)gmail.com> wrote:
>
>> Hi!
>>
>> I just configured multi-master replication (with N=3) for testing
>> purposes, and I just found an annoying problem, under these
>> conditions:
>>
>> 1. Configure a N number of "masters", and have them replicate happily
>> (this is important).
>> 2. Stop slapd service on all of the servers.
>> 3. Start slapd service on any number of servers < N (ie, leave at
>> least one stopped).
>> 4. Delete any entry (yes, it only fails with deletes, you can combine
>> changes: modify, add, and delete, and only deletes will fail to
>> replicate).
>> 5. Stop slapd service on *all of the servers again* (this is the most
>> important part).
>> 6. Star slapd service on all the servers.
>>
>> You will see that, on the servers that you left down on step 3, the
>> deleted entries are still present.
>>
>> If you leave at least one server up, it replicates just fine, the
>> problem is when you stop all of the masters.
>>
>> More info:
>>
>> OpenLDAP version: 2.4.13
>> OS: Debian GNU/Linux Etch
>> Overlays: smbk5pwd (only samba enabled), syncprov (off course).
>>
>> Any ideas? If you need more info, just ask.
>
> I suggest you file an ITS.
Ok.
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 9 months
extracting X509 certificate from LDAP connection with openldap public API
by Guillaume Rousse
Hello list.
I'm trying to extend nagios check_ldap plugin to also check LDAP
certificate expiration. Equivalent code in check_http work directly at
socket level, and is not directly transposable, as check_ldap works at
higher level, relying on openldap libraries to manage its connection.
The code manipulates an opaque LDAP *ld connection handle. I had a quick
look at openldap code, in libraries/libldap/tls.c, to see how this
handle could be used to access the x509 certificate:
LDAPConn *conn = NULL;
Sockbuf *sb = NULL;
SSL *ssl = NULL;
X509 *certificate = NULL;
conn = ld->ld_defconn;
sb = conn->lconn_sb;
ssl = ldap_pvt_tls_sb_ctx(sb);
certificate = tls_get_cert(ssl);
However, all those types are defined in libraries/libldap/ldap-int.h
header, meaning those are for internal use only. I had a quick look at
IETF LDAP C draft found in openldap sources, but I couldn't find
anything related to the topic. So, what's the proper way for doing this ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
14 years, 9 months
Re: bdb_search: 112 does not match filter
by Net Warrior
Hi Quanah
My bad, did not reindex the database, sorry, I'll do that right now and see
what happens.
and yes, it's and old release, I'm aware of that, and we should upgrade as
soon as posible.
Thanks for your time and support.
Best regards.
2008/11/11, Quanah Gibson-Mount <quanah(a)zimbra.com>:
>
> --On Tuesday, November 11, 2008 6:12 PM -0200 Net Warrior <
> netwarrior863(a)gmail.com> wrote:
>
> Hi there guys.
>>
>> A costumer of us were having problems with the slapd service ( unexpected
>> hangs ), it's an ubuntu installation running slapd 2.2.26
>> In the logs I noticed that there were no indexes available, the
>> index_param failed were reported in the logs, the systems uses ldap for
>> user authentication and nothing else.
>>
>> After that, I added the following in the slapd.conf,
>>
>> index cn,gidNumber,memberUid,uid eq
>> index uniqueMember eq
>> index uidNumber eq
>>
>> The performance where better and there were no more hangs, but I'm
>> getting the following error.
>> and the user cannot authenticate, so I went back to the original
>> configuration without indexes.
>>
>
> Did you reindex the database after you added the indices via slapindex
> while the server was offline, as is required when you add indices to
> existing objects?
>
> And, I'll note that OpenLDAP 2.2 is very old and no longer supported.
> Numerous bugs have been fixed since that release, even in the OpenLDAP 2.2
> series.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 9 months
Multi-master doesn't replicate deletes under certain circumstances.
by Jose Ildefonso Camargo Tolosa
Hi!
I just configured multi-master replication (with N=3) for testing
purposes, and I just found an annoying problem, under these
conditions:
1. Configure a N number of "masters", and have them replicate happily
(this is important).
2. Stop slapd service on all of the servers.
3. Start slapd service on any number of servers < N (ie, leave at
least one stopped).
4. Delete any entry (yes, it only fails with deletes, you can combine
changes: modify, add, and delete, and only deletes will fail to
replicate).
5. Stop slapd service on *all of the servers again* (this is the most
important part).
6. Star slapd service on all the servers.
You will see that, on the servers that you left down on step 3, the
deleted entries are still present.
If you leave at least one server up, it replicates just fine, the
problem is when you stop all of the masters.
More info:
OpenLDAP version: 2.4.13
OS: Debian GNU/Linux Etch
Overlays: smbk5pwd (only samba enabled), syncprov (off course).
Any ideas? If you need more info, just ask.
Thanks in advance,
Ildefonso Camargo
14 years, 9 months
