openldap-software February 2008

openldap-software@openldap.org

86 participants
94 discussions

OpenLDAP Servers and Availability
by Ishklight 13 Feb '08

13 Feb '08

Hi, I want to set up openldap servers to be available all the time. In short, if one goes down, the other should automatically pick up and service the requests. I looked at Master-Slave with Syncrepl and Multi-master configurations. I don't understand which configuration could help me. Also, how would I test my requirement? Is it possible to set up highly available openLDAP servers? Please suggest. Thanks in advance, Regards, Imran

4 4

getting passwordpolicy from ldap_sasl_bind
by Kenneth Rogers 12 Feb '08

12 Feb '08

Hi, I've been asked to have our client report back if a password is expired, and it looks like using the ldap_passwordpolicy_* functions are the way to do it, but the example (clients/tools/common.c) in the code level we're using (2.3.24) is still using ldap_bind, and getting the ctrls from ldap_parse_result. Our code is using ldap_sasl_bind because ldap_bind is deprecated, Will I need to use the serverctrlsp pointer passed into ldap_sasl_bind to get the password policy? Thanks, KR --

2 1

Any problems with X.509v3 Extensions?
by Brian A. Seklecki 12 Feb '08

12 Feb '08

All: Does anyone know of any known-problems with OpenLDAP server/client-side certificates signed with X509 v3 Extensions? e.g., $ openssl x509 -text -in interface.crt.pem X509v3 extensions: X509v3 Subject Alternative Name: email:ldap@tld Netscape Cert Type: SSL Server, S/MIME, Object Signing X509v3 Extended Key Usage: TLS Web Server Authentication With openssl.cnf: [ v3_req_ext ] subjectAltName=email:copy nsCertType = server, email, objsign nsComment = "OpenSSL Generated Server Certificate" # .2 = Client, .1 = Server #extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 This is the way Godaddy rocks out. Every year I go through suffer through hours of self abnegation trying to re-issue certificates for a dozen F/OSS applications that all have little caveats --- This year I'm writing that shit down >:} ~BAS

3 7

Solaris 10 OpenLDAP server message:
by Kick, Claus 12 Feb '08

12 Feb '08

Hello everyone, as we are investigating our performance problems, we noticed the following one: Feb 7 12:01:18 lakota-neu slapd[24815]: [ID 555073 local4.error] tid= 1: multiple threads per connection not supported Does this mean that currently only one thread per request connection is allowed? If so, how can this be changed? We used the openldap package from Blastwave, as we were unable to compile from the Sources. Does anyone have an idea for this? Regards, CLaus

4 5

slapd: warning: cannot open /etc/hosts.allow: Too many open files
by Amir Saad 12 Feb '08

12 Feb '08

I'm running OpenLDAP 2.3.30-5 on Debian 4. I checked the syslog and I found the following errors: slapd: warning: cannot open /etc/hosts.allow: Too many open files slapd: warning: cannot open /etc/hosts.deny: Too many open files Please advice. Thanks Amir _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

6 9

Re: Mirror Mode replication
by Gavin Henry 12 Feb '08

12 Feb '08

> Thanks in advance for any responses... What documentation did you follow? You are missing serverID: http://www.openldap.org/doc/admin24/replication.html#MirrorMode Thanks.

3 3

Caching queries
by Kick, Claus 12 Feb '08

12 Feb '08

Hello everyone, how can I check whether caching queries and so on works? Regards, Claus

6 10

Re: [JunkMail] LDAP Server bug?
by openldap 12 Feb '08

12 Feb '08

Hi i tried the following: [myuser@deskhost ~]$ ldapmodify -H "ldaps://ldaphost.mydom.com" -x -D"cn=config" -W -f klein.ldapmodify.ldif Enter LDAP Password: modifying entry "cn=schema,cn=config" ldapmodify: Internal (implementation specific) error (80) additional info: <olcAttributeTypes> handler exited with 1 [myuser@deskhost ~]$ and the LDAP log says: Feb 11 11:32:11 ldaphost slapd[8575]: conn=75 fd=31 ACCEPT from IP=xx.xx.xx.xx:60593 (IP=0.0.0.0 :636) Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 TLS established tls_ssf=256 ssf=256 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config" method=128 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 RESULT tag=97 err=0 text= Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD dn="cn=schema,cn=config" Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD attr=olcAttributeTypes Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 RESULT tag=103 err=80 text=<olcAttributeTypes> handler exited with 1 Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=2 UNBIND Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 closed the ldif file: dn: cn=schema,cn=config changetype: modify add: olcAttributeTypes olcAttributeTypes: ( 2.5.4.0 NAME 'olcObjectClasses' DESC 'RFC2256 object classes of the entity' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) what can i do now? does this say "wait for version 2.4.x of openldap"? i need these attributes and obejctclasses on an LDAP installation for a customer. suomi openldap wrote: > Hi every > > OpenBSD myserver.mydomain.tld 4.2 GENERIC#375 i386 > > openldap-server-2.3.33p1-bdb > > a week ago, i introduced a new schema, the horde.schema, adding it to > the new cn=config subtree using ldapadd... Hm, that's a bug that ldapadd succeeded. olcIncludeFile objects are only supposed to be in the cn=config tree when it was converted from a slapd.conf file. For a pure cn=config installation, you should be creating a olcSchema entry instead. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Mirror Mode replication
by Mark W Apperson 12 Feb '08

12 Feb '08

Hi, I am trying to setup and test the mirror mode replication using OpenLDAP 2.4.7. I setup a very simple test with two hosts running OpenLDAP servers (host openldap1 (port 1389) and host openldap2 (port 2389)). I set up the replication in the slapd.conf file so that openldap1 replicates to openldap2 and vice versa. I specified 'mirrormode on' for both hosts. I have not been able to get the simple mirrormode replication test to work. My test consisted of the following: 1. Both openldap hosts start with an empty database 2. Added a user on openldap1 using ldap_add 3. Waited a few minutes to ensure the new user was replicated to host openldap2. This was successful. 4. Added a second user and modified an attribute of the first user on host openldap1. This was successful. 5. After a few minutes, the 2nd user and the attribute change was removed from host openldap1. Since this very basic test failed, I am certain that I have misunderstood the configuration or setup of mirrormode replication. I would appreciate if someone could point out my configuration error. I have included the parts of the slapd.conf file where replication is configured. Host openldap1(port 1389) contains the following in its slapd.conf file: overlay syncprov syncrepl rid=1 provider=ldap://openldap2:2389 type=refreshOnly interval=00:00:05:00 searchbase="dc=domain,dc=com" bindmethod=simple binddn="cn=Manager,dc=domain,dc=com" credentials=secret retry="60 +" mirrormode on Host openldap2(port 2389) contains the following in its slapd.conf file: overlay syncprov syncrepl rid=2 provider=ldap://openldap1:1389 type=refreshOnly interval=00:00:05:00 searchbase="dc=domain,dc=com" bindmethod=simple binddn="cn=Manager,dc=domain,dc=com" credentials=secret retry="60 +" mirrormode on Thanks in advance for any responses... Mark Apperson

1 0

TLS Certificate Issue
by Jon Fink 12 Feb '08

12 Feb '08

After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly. In fact the following command works properly from a remote client: ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)' but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on): TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11) I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?) Any thoughts? Thanks, Jon Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8

4 4

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008