OpenLDAP Servers and Availability
by Ishklight
Hi,
I want to set up openldap servers to be available all the time.
In short, if one goes down, the other should automatically pick up and
service the requests.
I looked at Master-Slave with Syncrepl and Multi-master configurations. I
don't understand which configuration could help me.
Also, how would I test my requirement?
Is it possible to set up highly available openLDAP servers? Please suggest.
Thanks in advance,
Regards,
Imran
14 years, 6 months
getting passwordpolicy from ldap_sasl_bind
by Kenneth Rogers
Hi,
I've been asked to have our client report back if a password is
expired, and it looks like using the ldap_passwordpolicy_* functions
are the way to do it, but the example (clients/tools/common.c) in the
code level we're using (2.3.24) is still using ldap_bind, and getting
the ctrls from ldap_parse_result. Our code is using ldap_sasl_bind
because ldap_bind is deprecated, Will I need to use the serverctrlsp
pointer passed into ldap_sasl_bind to get the password policy?
Thanks,
KR
--
14 years, 6 months
Any problems with X.509v3 Extensions?
by Brian A. Seklecki
All:
Does anyone know of any known-problems with OpenLDAP server/client-side
certificates signed with X509 v3 Extensions?
e.g.,
$ openssl x509 -text -in interface.crt.pem
X509v3 extensions:
X509v3 Subject Alternative Name:
email:ldap@tld
Netscape Cert Type:
SSL Server, S/MIME, Object Signing
X509v3 Extended Key Usage:
TLS Web Server Authentication
With openssl.cnf:
[ v3_req_ext ]
subjectAltName=email:copy
nsCertType = server, email, objsign
nsComment = "OpenSSL Generated Server Certificate"
# .2 = Client, .1 = Server
#extendedKeyUsage = 1.3.6.1.5.5.7.3.2
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
This is the way Godaddy rocks out.
Every year I go through suffer through hours of self abnegation trying to
re-issue certificates for a dozen F/OSS applications that all have little
caveats --- This year I'm writing that shit down >:}
~BAS
14 years, 6 months
Solaris 10 OpenLDAP server message:
by Kick, Claus
Hello everyone,
as we are investigating our performance problems, we noticed the
following one:
Feb 7 12:01:18 lakota-neu slapd[24815]: [ID 555073 local4.error] tid=
1: multiple threads per connection not supported
Does this mean that currently only one thread per request connection is
allowed? If so, how can this be changed? We used the openldap package
from
Blastwave, as we were unable to compile from the Sources.
Does anyone have an idea for this?
Regards,
CLaus
14 years, 6 months
Caching queries
by Kick, Claus
Hello everyone,
how can I check whether caching queries and so on works?
Regards,
Claus
14 years, 6 months
Re: [JunkMail] LDAP Server bug?
by openldap
Hi
i tried the following:
[myuser@deskhost ~]$ ldapmodify -H "ldaps://ldaphost.mydom.com" -x
-D"cn=config" -W -f klein.ldapmodify.ldif
Enter LDAP Password:
modifying entry "cn=schema,cn=config"
ldapmodify: Internal (implementation specific) error (80)
additional info: <olcAttributeTypes> handler exited with 1
[myuser@deskhost ~]$
and the LDAP log says:
Feb 11 11:32:11 ldaphost slapd[8575]: conn=75 fd=31 ACCEPT from
IP=xx.xx.xx.xx:60593 (IP=0.0.0.0
:636)
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 TLS established
tls_ssf=256 ssf=256
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config"
method=128
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 BIND dn="cn=config"
mech=SIMPLE ssf=0
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=0 RESULT tag=97 err=0 text=
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD
dn="cn=schema,cn=config"
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 MOD
attr=olcAttributeTypes
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=1 RESULT tag=103 err=80
text=<olcAttributeTypes> handler exited with 1
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 op=2 UNBIND
Feb 11 11:32:12 ldaphost slapd[8575]: conn=75 fd=31 closed
the ldif file:
dn: cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 2.5.4.0 NAME 'olcObjectClasses' DESC 'RFC2256
object classes of the entity' EQUALITY objectIdentifierMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.38 )
what can i do now? does this say "wait for version 2.4.x of openldap"?
i need these attributes and obejctclasses on an LDAP installation for a
customer.
suomi
openldap wrote:
> Hi every
>
> OpenBSD myserver.mydomain.tld 4.2 GENERIC#375 i386
>
> openldap-server-2.3.33p1-bdb
>
> a week ago, i introduced a new schema, the horde.schema, adding it to
> the new cn=config subtree using ldapadd...
Hm, that's a bug that ldapadd succeeded. olcIncludeFile objects are only
supposed to be in the cn=config tree when it was converted from a slapd.conf
file. For a pure cn=config installation, you should be creating a olcSchema
entry instead.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
14 years, 6 months
Mirror Mode replication
by Mark W Apperson
Hi,
I am trying to setup and test the mirror mode replication using OpenLDAP
2.4.7. I setup a very simple test with two hosts running OpenLDAP servers
(host openldap1 (port 1389) and host openldap2 (port 2389)). I set up the
replication in the slapd.conf file so that openldap1 replicates to
openldap2 and vice versa. I specified 'mirrormode on' for both hosts. I
have not been able to get the simple mirrormode replication test to work.
My test consisted of the following:
1. Both openldap hosts start with an empty database
2. Added a user on openldap1 using ldap_add
3. Waited a few minutes to ensure the new user was replicated to host
openldap2. This was successful.
4. Added a second user and modified an attribute of the first user on host
openldap1. This was successful.
5. After a few minutes, the 2nd user and the attribute change was removed
from host openldap1.
Since this very basic test failed, I am certain that I have misunderstood
the configuration or setup of mirrormode replication. I would appreciate
if someone could point out my configuration error.
I have included the parts of the slapd.conf file where replication is
configured.
Host openldap1(port 1389) contains the following in its slapd.conf file:
overlay syncprov
syncrepl rid=1
provider=ldap://openldap2:2389
type=refreshOnly
interval=00:00:05:00
searchbase="dc=domain,dc=com"
bindmethod=simple
binddn="cn=Manager,dc=domain,dc=com"
credentials=secret
retry="60 +"
mirrormode on
Host openldap2(port 2389) contains the following in its slapd.conf file:
overlay syncprov
syncrepl rid=2
provider=ldap://openldap1:1389
type=refreshOnly
interval=00:00:05:00
searchbase="dc=domain,dc=com"
bindmethod=simple
binddn="cn=Manager,dc=domain,dc=com"
credentials=secret
retry="60 +"
mirrormode on
Thanks in advance for any responses...
Mark Apperson
14 years, 6 months
TLS Certificate Issue
by Jon Fink
After recently upgrading to a newer version of openldap I'm
experiencing problems with start_tls on a connection to the slapd
server. I'm fairly certain that the certificate is setup correctly.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b
'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the
following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer:
/CN=GROUP_CA/ST=PA/C=US/O=GROUP
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the
server, but I've tried a few permutations of hostname setup to no
avail (is there a way to confirm that this is the issue?)
Any thoughts?
Thanks,
Jon
Versions:
slapd 2.4.7
openldap 2.4.7
openssl 0.9.8
14 years, 6 months