February 2008 - openldap-software

by Ishklight

Hi, I want to set up openldap servers to be available all the time. In short, if one goes down, the other should automatically pick up and service the requests. I looked at Master-Slave with Syncrepl and Multi-master configurations. I don't understand which configuration could help me. Also, how would I test my requirement? Is it possible to set up highly available openLDAP servers? Please suggest. Thanks in advance, Regards, Imran

13 years, 9 months

4
4
0 / 0

getting passwordpolicy from ldap_sasl_bind

by Kenneth Rogers

Hi, I've been asked to have our client report back if a password is expired, and it looks like using the ldap_passwordpolicy_* functions are the way to do it, but the example (clients/tools/common.c) in the code level we're using (2.3.24) is still using ldap_bind, and getting the ctrls from ldap_parse_result. Our code is using ldap_sasl_bind because ldap_bind is deprecated, Will I need to use the serverctrlsp pointer passed into ldap_sasl_bind to get the password policy? Thanks, KR --

13 years, 9 months

2
1
0 / 0

Any problems with X.509v3 Extensions?

by Brian A. Seklecki

All: Does anyone know of any known-problems with OpenLDAP server/client-side certificates signed with X509 v3 Extensions? e.g., $ openssl x509 -text -in interface.crt.pem X509v3 extensions: X509v3 Subject Alternative Name: email:ldap@tld Netscape Cert Type: SSL Server, S/MIME, Object Signing X509v3 Extended Key Usage: TLS Web Server Authentication With openssl.cnf: [ v3_req_ext ] subjectAltName=email:copy nsCertType = server, email, objsign nsComment = "OpenSSL Generated Server Certificate" # .2 = Client, .1 = Server #extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 This is the way Godaddy rocks out. Every year I go through suffer through hours of self abnegation trying to re-issue certificates for a dozen F/OSS applications that all have little caveats --- This year I'm writing that shit down >:} ~BAS

13 years, 9 months

3
7
0 / 0

Solaris 10 OpenLDAP server message:

by Kick, Claus

Hello everyone, as we are investigating our performance problems, we noticed the following one: Feb 7 12:01:18 lakota-neu slapd[24815]: [ID 555073 local4.error] tid= 1: multiple threads per connection not supported Does this mean that currently only one thread per request connection is allowed? If so, how can this be changed? We used the openldap package from Blastwave, as we were unable to compile from the Sources. Does anyone have an idea for this? Regards, CLaus

13 years, 9 months

4
5
0 / 0

slapd: warning: cannot open /etc/hosts.allow: Too many open files

by Amir Saad

I'm running OpenLDAP 2.3.30-5 on Debian 4. I checked the syslog and I found the following errors: slapd: warning: cannot open /etc/hosts.allow: Too many open files slapd: warning: cannot open /etc/hosts.deny: Too many open files Please advice. Thanks Amir _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

13 years, 9 months

6
9
0 / 0

Re: Mirror Mode replication

by Gavin Henry

> Thanks in advance for any responses... What documentation did you follow? You are missing serverID: http://www.openldap.org/doc/admin24/replication.html#MirrorMode Thanks.

13 years, 9 months

3
3
0 / 0

Caching queries

by Kick, Claus

Hello everyone, how can I check whether caching queries and so on works? Regards, Claus

13 years, 9 months

6
10
0 / 0

Re: [JunkMail] LDAP Server bug?

by openldap

Hi i tried the following: [myuser@deskhost ~]$ ldapmodify -H "ldaps://ldaphost.mydom.com" -x -D"cn=config" -W -f klein.ldapmodify.ldif Enter LDAP Password: modifying entry "cn=schema,cn=config" ldapmodify: Internal (implementation specific) error (80) additional info: <olcAttributeTypes> handler exited with 1 [myuser@deskhost ~]$ and the LDAP log says: Feb 11 11:32:11 ldaphost slapd[8575]: conn=75 fd=31 ACCEPT from IP=xx.xx.xx.xx:60593 (IP=0.0.0.0 :636) Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 TLS established tls_ssf=256 ssf=256 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config" method=128 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 RESULT tag=97 err=0 text= Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD dn="cn=schema,cn=config" Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD attr=olcAttributeTypes Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 RESULT tag=103 err=80 text=<olcAttributeTypes> handler exited with 1 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=2 UNBIND Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 closed the ldif file: dn: cn=schema,cn=config changetype: modify add: olcAttributeTypes olcAttributeTypes: ( 2.5.4.0 NAME 'olcObjectClasses' DESC 'RFC2256 object classes of the entity' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) what can i do now? does this say "wait for version 2.4.x of openldap"? i need these attributes and obejctclasses on an LDAP installation for a customer. suomi openldap wrote: > Hi every > > OpenBSD myserver.mydomain.tld 4.2 GENERIC#375 i386 > > openldap-server-2.3.33p1-bdb > > a week ago, i introduced a new schema, the horde.schema, adding it to > the new cn=config subtree using ldapadd... Hm, that's a bug that ldapadd succeeded. olcIncludeFile objects are only supposed to be in the cn=config tree when it was converted from a slapd.conf file. For a pure cn=config installation, you should be creating a olcSchema entry instead. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

13 years, 9 months

2
1
0 / 0

Mirror Mode replication

by Mark W Apperson

Hi, I am trying to setup and test the mirror mode replication using OpenLDAP 2.4.7. I setup a very simple test with two hosts running OpenLDAP servers (host openldap1 (port 1389) and host openldap2 (port 2389)). I set up the replication in the slapd.conf file so that openldap1 replicates to openldap2 and vice versa. I specified 'mirrormode on' for both hosts. I have not been able to get the simple mirrormode replication test to work. My test consisted of the following: 1. Both openldap hosts start with an empty database 2. Added a user on openldap1 using ldap_add 3. Waited a few minutes to ensure the new user was replicated to host openldap2. This was successful. 4. Added a second user and modified an attribute of the first user on host openldap1. This was successful. 5. After a few minutes, the 2nd user and the attribute change was removed from host openldap1. Since this very basic test failed, I am certain that I have misunderstood the configuration or setup of mirrormode replication. I would appreciate if someone could point out my configuration error. I have included the parts of the slapd.conf file where replication is configured. Host openldap1(port 1389) contains the following in its slapd.conf file: overlay syncprov syncrepl rid=1 provider=ldap://openldap2:2389 type=refreshOnly interval=00:00:05:00 searchbase="dc=domain,dc=com" bindmethod=simple binddn="cn=Manager,dc=domain,dc=com" credentials=secret retry="60 +" mirrormode on Host openldap2(port 2389) contains the following in its slapd.conf file: overlay syncprov syncrepl rid=2 provider=ldap://openldap1:1389 type=refreshOnly interval=00:00:05:00 searchbase="dc=domain,dc=com" bindmethod=simple binddn="cn=Manager,dc=domain,dc=com" credentials=secret retry="60 +" mirrormode on Thanks in advance for any responses... Mark Apperson

13 years, 9 months

1
0
0 / 0

TLS Certificate Issue

by Jon Fink

After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly. In fact the following command works properly from a remote client: ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)' but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on): TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11) I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?) Any thoughts? Thanks, Jon Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8

13 years, 9 months

4
4
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008