February 2008 - openldap-software

by Clowser, Jeff (Contractor)

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff

13 years, 8 months

11
29
0 / 0

using slapo-pcache with an empty attr list

by Toby Blake

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(&(objectClass=amdmap)(amdmapName=home)(amdmapKey=root))" Jul 23 14:54:16 host1 slapd[26671]: query template of incoming query = (&(objectClass=)(amdmapName=)(amdmapKey=)) Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT ANSWERABLE Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT CACHEABLE Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Note that there's no 'SRCH attr=' line. I've tried proxyattrset of the following forms... proxyattrset 1 * proxyattrset 1 (both of which crash slapd) And also proxyattrset 1 <full list of attrs returned when none specified> .... but this didn't work either. Thanks in advance for any advice, Cheers Toby Blake School of Informatics University of Edinburgh

14 years, 9 months

3
8
0 / 0

Real alternatives to BDB?

by Marten Lehmann

Hello, we are currently running openldap 2.2.13 with a bdb-4.2.52 backend as it comes with RHEL4. We have about 50.000 cn's each having about 5-10 attributes with a length of no longer than 100 characters. So our dataset is not very big. We have a lot of concurrent reads since or ldap provides the data for incoming and pop3/imap servers. But we have only about 100 changes/adds a day, not more. Yesterday we had the second bdb problem in our 1 year ldap setup. The problem is, that we cannot really detect the crash, since ldap queries just hang, but neither they timeout nor openldap is crashing. We just notice the mailserver issues and have to track it down to openldap and bdb. As with last time, we had to shutdown openldap and recover bdb. Fortunately we have been able to recover the data-directory both times using dv_recover. But in fact, we want to have a backend, that doesn't crash twice a year. And as our setup is growing and we want to start with replication, we want a backend to whom we can trust. I read through the backend documentation of openldap and berkeley db is praised as very fast and efficient. Amazing, that berkeleydb is not called stable anywhere in the documentation. And from my experience, bdb is not stable. Whenever you here about bdb, you here about it because a database went corrupt. bdb is just a key/value database that seems to work fine as long it is read-only. Different projects, e.g. subversion, have turned away from bdb and use a different backend. Often they use SQLite. Since SQLite handles complete table layouts, it would also be possible to create one table with two columns (key and value as in bdb). SQLite shall also be transactional. But why is openldap sticking on bdb? Does bdb have any other important features the SQLite doesn't have? Benchmark issues? Replication? I have to admit, that I'm not using the latest releases of bdb. But I'm using and watching bdb for years and I hardly believe, that it has become stable in the latest release. Regards Marten

14 years, 12 months

9
9
0 / 0

add local entries to a master database.

by Julien Garnier

Hi, I want to setup a local ldap server that will add my local entries to the master server. The config is this one : A central server that is replicate on my "ldap_relay" server (I have access to the configuration of this server) . This one replicate from a central ldap (I have no access to this one) via classical syncrepl. So I can read my ldap_relay but I can't add my own attributes. I try several configurations : * I've tried to setup multimaster replication between ldap_relay and a local ldap server (ldap1). In this config I can update users and add my own attributes but if someone is deleted from de central ldap, he is delete from the "ldap_relay" server and not delete in the ldap1 server * I've tried to use translucent overlay between ldap_relay and ldap1 but the problem is tha it's not possible to search local entries with translucent. * I read the config from Oren Laadan ( http://www.openldap.org/lists/openldap-software/200802/msg00128.html). This seems to be what I need, but I don't realy understand how to configure that. If someone can help me to set up this solution with my servers. Thanks in advance. Julien

15 years

2
4
0 / 0

Required changes in 2.4.7 regarding ACLs when using authz-regexp?

by Michael Ströder

HI! I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs. With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change? Ciao, Michael.

15 years

2
3
0 / 0

Syncprov and Time Problems

by Daniel Durgin

Hello, I have two openldap 2.4 servers, one a sync provider to the other. The Provider always seems to get about 8 seconds behind the consumer. I do run ntpd on both. Would this time difference cause the consumer not to pull updates? If I restart the consumer, it will pull updates until it becomes synced. It will even pull updates for a few minutes. Then it will no longer sync until I restart it. Here is some pertinent info: Consumer: syncrepl rid=000 provider=ldap://host1 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=foo,dc=bar" scope=sub attrs=* schemachecking=off bindmethod=simple binddn="uid=user1,dc=foo,dc=bar" credentials=secret Provider: overlay syncprov syncprov-checkpoint 25 5 Thank you, Dan

15 years

2
2
0 / 0

Change structural objectClass

by Emili Calonge

Hi! I have an ldap installation with almost 100 users in it, and now I've realised I need to change the structural objectClass. Because I need some attributes I don't have and my current objectClass won't allow me to have this attributes (or that's what I think). Now my objects are accounts and I need them to be organizationalPerson, so I can have telephon info, and picture, and some other things. Is there a way I can make this change without having to create all the users again? It's not that much for the time I have to waste but just because I don't know the users passwords so I would have to ask them to enter their password again and I think they would kill me if I asked them to do so. So if you know a way to just create new accounts and then import the passwords from the old ones that'll work for me too. Thanks a lot!

15 years

2
1
0 / 0

ppolicy: invalid value for attributeType pwAttribute -- for "userPassword"

by Chris Shenton

I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file: dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword When I try to slapadd it, I get an error indicating it doesn't like "userPassword": sudo sbin/slapadd -l ldifs/6_policies.ldif str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=51) The ppolicy.schema file says: #5.2.1 pwdAttribute # # This holds the name of the attribute to which the password policy is # applied. For example, the password policy may be applied to the # userPassword attribute. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) And my slapd.conf includes ppolicy.schema in addition to core.schema, cosine.schema, and inetorgperson.schema. Oddly, replacing the "userPassword" value with a random number, like "42" or "3.14159" causes no error. I cannot find userPassword defined in any of the schemas, tho it is commented out in core.schema. If I uncomment it from core.schema it complains that it's a dupe: sbin/slapadd -l ldifs/6_policies.ldif schema/core.schema: line 244: Duplicate attributeType: "2.5.4.35" slapadd: bad configuration file! What am I missing? Thanks.

15 years

5
7
0 / 0

Re: Missing Syntax

by Michael Ströder

Nik Svoboda wrote: > > In the case that it is useful, here is what I am seeing. This picture > is taken from gq. The symptom that lead me to look for this was that no > partial-matches were being returned from LDAP searches, even when > explicitly specified in the search. The screenshot isn't that useful. You should rather post the commands you invoked when searching and no results were returned. Probably together with your slapd.conf (indexing config) and LDIF of your data. > I am not sending this to the entire list to avoid creating a very > large traffic amount. Cc:-ed openldap-software list again. Please let's stay there. Ciao, Michael.

15 years

1
0
0 / 0

Access Control issues

by admin

Hi! How to grant privileges to all users from, let say, ou=People,o=organization,c=US with gidNumber=1056 to ou=Private,ou=AddressBook,o=organization,c=US ?

15 years

3
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008