openldap-software February 2008

openldap-software@openldap.org

86 participants
94 discussions

syncrepl with more that one database
by James Hartley 08 Feb '08

08 Feb '08

I see a lot of examples with syncrepl and one database in fact I am running one in that configuration with replication. Now I need to run and replicate two different databases... I have the databases running on the master without repl. I am wondering about the proper configuration on the slave should look like... from the documentation I see that syncrepl is a database directive, can someone give me a simple example of what the configuration file should look like with two or more databases. here is what I have now on the slave # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # solaris.schema provides nisDomainObject, absent from nis.schema include /etc/openldap/schema/solaris.schema include /etc/openldap/schema/DUAConfigProfile.schema # samba.schema provides the samba information for samba clients include /etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 4 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # TLS Configuration TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd-cert-ldap2.pem TLSCertificateKeyFile /etc/openldap/slapd-key-ldap2.pem #Use the following if client authenication is required #TLSVerifyClient demand # ... or not desired at all #TLSVerifyClient never ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" directory /var/lib/openldap-data # Indices to maintain index entryCSN,entryUUID eq #Performance Tuning Directives sizelimit 5000 threads 8 idletimeout 14400 cachesize 10000 checkpoint 256 15 # synrepl parameters for the slave syncrepl rid=001 provider=ldap://server.example.com type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=system,dc=example,dc=com" credentials=xxxxxx # referral line to update the master updateref ldap://server.example.com ##### # ACL's ##### ## Give Admins immediate write access access to dn.subtree="dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write by * none break access to attrs=userPassword by self write by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read by * auth access to * by self write by * read ######################################################################### # Database 2: ######################################################################### database bdb suffix "dc=wired,dc=hotdog,dc=com" rootdn "cn=Manager,dc=wired,dc=hotdog,dc=com" directory /var/lib/openldap-wired # Indices to maintain for this database index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index objectClass eq index memberUid eq,subinitial index mail eq,subinitial index givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index entryCSN,entryUUID eq index default sub #password-hash #password-hash {MD5} - slave doesn't set passwords either. #security ssf=1 update_ssf=112 simple_bind=64 tls=1 security tls=1 #disallow bind_anon #disallow bind_simple_unprotected #disallow bind_simple # synrepl parameters for the slave syncrepl rid=001 provider=ldap://server.example.com type=refreshOnly interval=00:00:05:00 searchbase="dc=wired,dc=hotdog,dc=com" binddn="uid=syncrepl,ou=system,dc=example,dc=com" credentials=xxxxxx ##### # ACL's ##### ## Give Admins immediate write access access to dn.subtree="dc=wired,dc=hotdog,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write by * none break access to dn.base="" by self write by * auth access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read by anonymous auth on the server I have index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 50 100 syncprov=sessionlog 100 in each database section.... Is this the correct approach??? notice the the rid numbers are the same is that right? thanks james

2 1

Password Policy pwdHistory not being checked? -- answer found
by Ben Spencer 08 Feb '08

08 Feb '08

Thanks all -- the answer to my question was found in http://www.openldap.org/lists/openldap-software/200701/msg00164.html benji --- Benji Spencer System Administrator Ph: 312-329-2288

1 0

Password Policy pwdHistory not being checked?
by Ben Spencer 08 Feb '08

08 Feb '08

Version: 2.3.39 I am working with the policy overlay and ran into a little issue with the password history. I have pwdInHistory set to 3 in the password policy dn. When I change the password, the pwdHistory is updated, but, the policy doesn't seem to be enforced (as I can keep reusing anying of the three passwords). In the logs, I see the following: Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: ndn: "cn=default password policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: oc: "(null)", at: "(null)" Feb 8 15:59:11 dirdev1 slapd[3947]: bdb_dn2entry("cn=default password policy,ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_dn2id("ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: <= bdb_dn2id: got id=0x00000004 Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_dn2id("cn=default password policy,ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: <= bdb_dn2id: got id=0x00000014 Feb 8 15:59:11 dirdev1 slapd[3947]: entry_decode: "cn=Default Password Policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: <= entry_decode(cn=Default Password Policy,ou=config,dc=moody,dc=edu) Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: found entry: "cn=default password policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: bdb_entry_get: rc=0 And then it happily changes the user's password. --- slapd.conf --- [removed stuff] # Load dynamic backend modules: modulepath /opt/BENTEST/libexec/openldap moduleload back_bdb.la moduleload ppolicy.la [removed stuff] database bdb suffix "dc=moody,dc=edu" rootdn "cn=Directory Manager,dc=moody,dc=edu" rootpw fall directory /opt/BENTEST/var/openldap-data/dc=moody,dc=edu # password policy overlay ppolicy ppolicy_default "cn=Default Password Policy,ou=config,dc=moody,dc=edu" ppolicy_use_lockout --------- What am I missing? --- Benji Spencer System Administrator Ph: 312-329-2288

1 0

Re: tips in ldappasswd
by Quanah Gibson-Mount 08 Feb '08

08 Feb '08

Keep your replies to the list. I highly advise reading the man page, and understanding all the options. As the error clearly states, you failed to provide a password (hint, see the -w and -W options). --Quanah --On February 8, 2008 5:09:43 PM -0200 Gustavo Mendes de Carvalho <gmcarvalho(a)gmail.com> wrote: > Hi Quanah, > > Sorry by my mistake. I wrote wrong ldap name. > > Here is my command > > [ming@s200-189-190-106 ~]$ ldappasswd -AS -H ldaps://ldap_server/ -D > uid=ming,ou=org-unit,o=org,c=br -x > Old password: > Re-enter old password: > New password: > Re-enter new password: > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) > disallowed > > > [ming@s200-189-190-106 ~]$ ldappasswd -AS -H ldap://ldap_server/ -D > uid=ming,ou=org-unit,o=org,c=br -x > Old password: > Re-enter old password: > New password: > Re-enter new password: > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) > disallowed > > > --- > Gustavo Mendes de Carvalho > e-mail: gmcarvalho(a)gmail.com -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Server side delay for bad passwords?
by Dan White 08 Feb '08

08 Feb '08

I'm planning on allowing public access to my OpenLDAP server for address book access. I'm only planning to allow authenticated access, both via simple binds and SASL binds, not anonymously. Is there an approach to preventing a brute force attack at guessing an entry's password? I've noticed that with my configuration, when performing an ldapwhoami or ldapsearch, and when submitting an incorrect password, I receive an immediate response that the password is bad, rather than a delay which I would like to have. I'm using version 2.3.39. In other words, this is what I get today: ~# time ldapsearch -Y DIGEST-MD5 -U abrown(a)olp.net -w badpassword SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated real 0m0.015s user 0m0.012s sys 0m0.004s But I'd like to enforce a server side delay of, for example, 5 seconds. I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct? Thanks, - Dan White

7 11

Filtering on meberUid vs cn
by Marantz, Roy 07 Feb '08

07 Feb '08

Please excuse me if this is an off list topic. I think this may be specific to OpenLDAP so I'm trying here. I'm running OpenLDAP 2.4.7 w/ BerkeleyDB 4.6.21 on Solaris-10. I'm running OpenLDAP as a fairly standard NIS replacement. In particular I have a DIT ou=group,dc=nyc,dc=deshaw,dc=com made of objects of class posixGroup (from the supplied nis.schema file). Solaris want to get a getgrmember() (undocumented subroutine call) which does a ldap search like the first one following. This search returns nentries=0 ldapsearch -x -LLL -h 127.0.0.1 -b 'ou=group,dc=nyc,dc=deshaw,dc=com' '(&(objectClass=posixGroup)(memberUid=marantz))' conn=2354 op=1 SRCH base="ou=group,dc=nyc,dc=deshaw,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=marantz))" conn=2354 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= But this search shows at least one object that I think should match ldapsearch -x -LLL -h 127.0.0.1 -b 'ou=group,dc=nyc,dc=deshaw,dc=com' '(&(objectClass=posixGroup)(cn=www))' dn: cn=www,ou=Group,dc=nyc,dc=deshaw,dc=com objectClass: posixGroup objectClass: top cn: www userPassword:: XXXXXXXXXXXX gidNumber: XXXX memberUid: XXXXXX memberUid: marantz memberUid: XXXXXX memberUid: XXXX memberUid: XXXXXX memberUid: XXXXXX memberUid: XXX memberUid: XXXXXXXX conn=3087 op=1 SRCH base="ou=group,dc=nyc,dc=deshaw,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=www))" conn=3087 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= The only difference I can find is the Equality Matching value for the 2 attributes. I notice that cn has a Equality Matching value of caseIgnoreMatch vs. caseExactA5Match for memberUid. (at least according to http://ldap.akbkhome.com/index.php/objectclass/posixGroup.html) I don't see how, but could that be involved in my problem? Any help would be greatly appreciated. Thanks. Roy

3 2

Tuning cachesize
by Marantz, Roy 07 Feb '08

07 Feb '08

I'm using OpenLDAP 2.4.7 with BerkeleyDB 4.6 on Solaris-10 hosts. We haven't been using it in production so I don't have any real experience with the performance under load. I'll be looking into doing some simulated load tests later. Right now, I'd like to understand more about performance tuning. I'm trying to follow the instruction in the FAQ or OpenLDAP Software 2.4 Administrator's Guide section 19.4.1.1 Calculating Cachesize but can't find information that is needed to calculate the cache needed for various indexes. In particular the formula given near the end of that section talks about the "Number of hash buckets". I've found something that could be it from running db_stat -m command's output, but that seems to be a single number for the whole database not one per index. Would someone point me in the right direction? BTW, I get much larger cachesize using the Admin Guide/FAQ method vs. the method Quanah Gibson-Mount wrote about in this mailing list. (du -c -h *.bdb in the database directory) Is that expected? I assume it would be best to try to optimize the cachesize for all databases. Does this include the log database used for delta-syncrepl? Also, is it better (performance wise) to give more memory to the db cache or the entry or idl caches? I couldn't find a clear answer from the Admin Guide, FAQ, nor the mailing list. Finally, is there any difference tuning bdb vs. hdb? I would think not, but since I'm asking... Thanks. Roy

3 3

LDAP Server bug?
by openldap 07 Feb '08

07 Feb '08

Hi every OpenBSD myserver.mydomain.tld 4.2 GENERIC#375 i386 openldap-server-2.3.33p1-bdb a week ago, i introduced a new schema, the horde.schema, adding it to the new cn=config subtree using ldapadd... the corresponding entry in the cn=config subtree lookes like: dn: cn=include{21},cn=config cn: include{21} objectClass: olcIncludeFile olcInclude: /etc/openldap/schema/horde.schema sofar, no problem when using attributes and objectclasses from the horde.schema. ---------------- today i restarted the ldap-server and after that, the horde.schema was unknown to the ldap server, even if exactly the above entry still exists in the cn=config subtree, and the assigned ldif file is in the /etc/openldap/slap.d/cn=config/ directory. when i try to add an entry using the objectclass hordePerson (which is defined in the horde.schema), i get: Return Code from Bind: 21 Message: LDAP_INVALID_SYNTAX: Some part of the request contained an invalid syntax. It could be a search with an invalid filter or a request to modify the schema and the given schema has a bad syntax. MessageID: 5 DN: which is, what i usually get, when i try to use an unknown objectclass. i am aware that the take-over from the old slapd.conf configuration to the cn=config subtree is not complete yet. is this an issue not covered in the cn=config subtree story? how can i circumwent this bug? just recreating the above entry each time i restart the ldap server? suomi

3 2

problem with cleartext password setup
by Pat Riehecky 06 Feb '08

06 Feb '08

My reading the archives has lead me to believe that DIGEST-MD5 will require me to store passwords in cleartext. To evaluate the usefulness of this at my site (little point in storing them cleartext if nothing can use DIGEST-MD5) I have setup a test server, but the password keeps getting hashed I have added password-hash {CLEARTEXT} to my slapd.conf (which gave me password-hash {CLEARTEXT},{SSHA},{SMD5},{CRYPT}). That didn't do it, so I went for just password-hash {CLEARTEXT}. That also keeps getting my passwords hashed. Strangely they are not prefixed with the {HASHTYPE}. When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please In LDAP I get userPassword:: cGxlYXNl I have the ppolicy overlay in place, but the behavior remains even when it is removed. The password is changing, but a log level of -1 isn't showing me why this is getting hashed. OpenLdap 2.4.7 on Debian Sid. What did I do? Pat

4 5

issues with proxycache overlay
by Thomas Seifert 06 Feb '08

06 Feb '08

Hi there, I'm trying to proxy and cache some ldap queries which would otherwise go to an IBM Tivoli Directory Server or another kind of ldap-server. Therefore I'm trying to use the pcache (proxycache) overlay in openldap 2.3.39. Is there a problem with that setup so far? Would it need special adjustments to proxy another kind of ldap server than just openldap? I'm having the problem, that I only get back on ldapsearch against the proxy --- # search result search: 2 result: 32 No such object --- which seems to get as far as getting the user authenticated as I get another error if I enter wrong credentials ;). Needless to say that everything is returned correctly if I just change the hostname to the direct ldap server. My config is as follows with is directly derived from the configuration: --- # proxycache settings database ldap suffix "o=domainname" rootdn "cn=Manager,o=domainname" uri ldap://hostname/o=domainname overlay pcache proxycache bdb 100000 1 1000 100 proxyAttrset 0 mail postaladdress telephonenumber proxyTemplate (sn=) 0 3600 proxyTemplate (uid=) 0 3600 proxyTemplate (&(sn=)(givenName=)) 0 3600 proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600 cachesize 20 directory /usr/local/openldap-proxycache/var/openldap-data/db.2.a index objectClass eq index cn,sn,uid,mail pres,eq,sub --- Any ideas about this issue? Any way to further diagnose the problem? I assume that every non-cacheable query is sent to the proxied ldap server anyway and its results are returned directly? Thanks in advance, Thomas

3 6

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008