openldap-software February 2008

openldap-software@openldap.org

86 participants
94 discussions

Upgrade to 2.3.40 -> failed index
by Paul B. Henson 05 Feb '08

05 Feb '08

I've been running OpenLDAP 2.3.35 for almost a year with no problems (Gentoo Linux, w/DB 4.5). I upgraded to 2.3.40 last week, and had a meltdown this morning during an account purge. There had been some updates to the directory after upgrading, but no deletes. During my delete run, there were some index errors: ----- [successful deletes] Feb 3 03:50:36 derp idmgmt[3722]: error deleting user cjlindsay: DN index delete failed (LDAP) [successful deletes] Feb 3 03:56:55 derp idmgmt[3722]: error deleting user ddshah: DN index delete failed (LDAP) [successful deletes] Feb 3 04:00:10 derp idmgmt[3722]: error binding to directory: internal error (LDAP) ----- After the index errors, LDAP stopped working. The logs on the master showed: ----- Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): file dn2id.bdb has LSN 8388745/33900185 , past end of log at 137/33937441 Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): Commonly caused by moving a database fr om one transactional database Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): environment to another without clearing the database LSNs, or removing Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): all of the log files from a database en vironment Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): DB_ENV->log_flush: LSN of 8388745/33900 185 past current end-of-log of 137/37666668 Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): dn2id.bdb: unable to flush page: 3118 Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): txn_checkpoint: failed to flush the buf fer cache: DB_RUNRECOVERY: Fatal error, run database recovery Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC: fatal region error detected; run recovery ----- I restarted slapd, resulting in: ----- Feb 3 06:55:53 fosse slapd[5129]: bdb_db_close: txn_checkpoint failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30975) Feb 3 06:55:53 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC: fatal region error detected; run recovery Feb 3 06:55:53 fosse slapd[5129]: bdb_db_close: close failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30975) Feb 3 06:55:53 fosse slapd[5129]: slapd stopped. Feb 3 06:56:02 fosse slapd[11055]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 31 2008 21:55:32) $ portage@fosse:/var/tmp/portage/net-nds/openldap-2.3.40-r1/work/openldap-2.3.40/servers/slapd - Server is unavailable Feb 3 06:56:18 fosse slapd[11056]: hdb_db_open: unclean shutdown detected; attempting recovery. Feb 3 06:56:20 fosse slapd[11056]: slapd starting ----- I have two syncrepl slaves, both had failed at the exact same time with the exact same logs: ----- Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): DB_ENV->log_flush: LSN of 8388762/370 13381 past current end-of-log of 154/40862130 Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): Database environment corrupt; the wro ng log files may have been removed or incompatible database files imported from another environment Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC: DB_RUNRECOVERY: Fatal error, r un database recovery Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): dn2id.bdb: unable to flush page: 3118 Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): txn_checkpoint: failed to flush the b uffer cache: DB_RUNRECOVERY: Fatal error, run database recovery Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC: fatal region error detected; r un recovery Feb 3 04:00:11 filmore slapd[5127]: null_callback: error code 0x50 Feb 3 06:57:41 filmore slapd[5127]: bdb_db_close: txn_checkpoint failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30975) Feb 3 06:57:41 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC: fatal region error detected; run recovery Feb 3 06:57:41 filmore slapd[5127]: bdb_db_close: close failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30975) Feb 3 06:57:41 filmore slapd[5127]: slapd stopped. Feb 3 06:57:49 filmore slapd[20722]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 28 2008 18:22:34) $ portage@filmore:/var/tmp/portage/net-nds/openldap-2.3.40-r1/work/openldap-2.3.40/servers/slapd Feb 3 06:57:49 filmore slapd[20723]: hdb_db_open: unclean shutdown detected; attempting recovery. Feb 3 06:57:51 filmore slapd[20723]: slapd starting ----- After a restart, things seemed to be working ok. I deleted one object by hand with no problem. But then on deleting the second, I received the same index failure. Finally, I shut everything down, did a slapcat to ldif, deleted the entire DB, and then a slapadd to regenerate from scratch. So far, so good after that. I restarted my batch delete, it's been running for 20 minutes with no errors (fingers crossed). What happened? It can't be local corruption, all three servers failed exactly the same way. I didn't upgrade bdb, it's the exact same version that's been running. I didn't think I needed to rebuild the db on an upgrade from 2.3.35 to 2.3.40, was I mistaken? Should I have done a dump/reload? Was this failure possibly a bug in 2.3.40? A bug in 2.3.35 exposed by the upgrade? Any thoughts much appreciated... Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson(a)csupomona.edu California State Polytechnic University | Pomona CA 91768

7 21

Multiple passwords
by Adrian Overbury 05 Feb '08

05 Feb '08

Hi, I'm trying to make a system account in LDAP that has multiple passwords, one of which is time-limited. Basically, it's your run-of- the-mill posix/shadowAccount object, with your common-or-garden userPassword attribute. Everything works so far. But now I want to add a couple of new attributes, tempPassword and tempPasswordTimestamp. tempPassword will contain a long random string of characters hashed somehow (crypt, sha, md5, I don't care) generated by the service-management software my company develops. tempPasswordTimestamp is what one of its underlying systems will use to determine all tempPasswords that have expired. Now, I created the attribute tempPassword, and made it SUP userPassword, but it doesn't seem to have inherited any of userPassword's functionality, like the ability to hash the entered string with a given scheme (like if I entered {SSHA}password I'd end up with a SHA-1 hashed password) and automatic encoding to base64. I know (or, at least, I *think* that userPassword is a multi-valued attribute, so I could just enter another userPassword and let it auth off that, but that defeats the purpose, which is to create a secure password that operators in our service-management software can use to log in to this user's account at the push of a button, without having to actually *know* the user's password. The password itself will be at least 20 characters long, consisting of uppercase, lowercase, numbers and special characters, so it'll be as secure as we can make it. All of it relies on me being able to create a new password attribute and auth off it, though, so, anyone able to help? Regards, Adrian

4 3

large ldap server recommendation
by ram 05 Feb '08

05 Feb '08

Hi, I am using ldap for authentication & addressbook for a large mailserver setup with around 300k users ( this will grow to 500k ) The ldap server is a 8GB Ram box with RHEL-5 with openldap-servers-2.3.27-5 I am confused what database type to use ldbm or bdb. Currently I have the users on bdb with lot of problems. The ldap server dies all of a sudden and I have to recover the data to get it started my DB_CONFIG file is ------ # Note: most DB_CONFIG settings will take effect only upon rebuilding # the DB environment. set_cachesize 0 524288000 0 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 20485760 set_tmp_dir /tmp # Note: special DB_CONFIG flags are no longer needed for "quick" # slapadd(8) or slapindex(8) access (see their -q option). set_flags DB_LOG_AUTOREMOVE set_flags DB_LOG_INMEMORY set_flags DB_TXN_NOSYNC ------------- Can someone help me Thanks Ram

14 30

volunteers wanted
by Dieter Kluenter 05 Feb '08

05 Feb '08

Hi, as usual, OpenLDAP Project has a booth at Linuxtag Berlin, this year from Mai 28th to Mai 31st. http://www.linuxtag.org/2008/en/home/welcome.html In order to man the exhibition properly we badly need volunteers. Those who are interested please send a mail to me privately. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

ACL or a default deny policy
by Olivier Nicole 05 Feb '08

05 Feb '08

Hi, I am implementing a directory with OPENLdap and I woul dlike that anonymous users could only read ceratin attributes, while all other attributes are accessible to authenticated users only. # ACL 1: Data that the user can change and that the world can see access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" attrs=sn,givenName by group="cn=groupadmin..." write by self write by * read # ACL 2: Personnal data, that user can change and the world can not see access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" attrs=gecos,description by group="cn=groupadmin..." write by self write by * none # ACL 3: any attributes that is not explcitely allowed above is denied access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" by group="cn=groupadmin..." write by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read by * none But this is not working. If I do like this, anonymous search will see nothing from the user. I found out some where that the attribute objectClass should always be exposed, so I tried to add it in the ACL 1, but that is not working either, I must haave a last ACL of the form access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" by group="cn=groupadmin..." write by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read by * read and I don't see where my reasoning is getting wrong. Thanks in advance, Olivier

2 1

Fw: err code definitions
by Vinh.CTR.Hoang＠faa.gov 04 Feb '08

04 Feb '08

Nevermind, I found it somewhere else, Thanks, Vinh ----- Forwarded by Vinh CTR Hoang/ACT/CNTR/FAA on 02/04/2008 04:50 PM ----- Vinh CTR Hoang/ACT/CNTR/FAA AJW-177, Comm Infrastructure Eng Team 02/04/2008 04:48 PM To Pierangelo Masarati <ando(a)sys-net.it> cc openldap-software(a)openldap.org Subject Re: err code definitions I could not find any thing said what each tag code means in RFC 4511. Is there any other document? Thanks, Vinh Pierangelo Masarati <ando(a)sys-net.it> 02/04/2008 02:53 PM To Vinh CTR Hoang/ACT/CNTR/FAA@FAA cc openldap-software(a)openldap.org Subject Re: err code definitions Vinh.CTR.Hoang(a)faa.gov wrote: > Hi all, I was wondering there were any documentation on the tag and error > codes definitions that show up in slapd log files. > When I try to l login as a user, ldap seems to reject me and puts in log > "RESULT tag =97 err=0 text= " I know the password is > the correct one since I can issue the login command in a shell and try to > login, it doesn't tell me that my login is incorrect. > However it will not let me login through telnet or the regular login > prompt. > > I'm on Solaris 9 btw. RFC 4511 p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

err code definitions
by Vinh.CTR.Hoang＠faa.gov 04 Feb '08

04 Feb '08

Hi all, I was wondering there were any documentation on the tag and error codes definitions that show up in slapd log files. When I try to l login as a user, ldap seems to reject me and puts in log "RESULT tag =97 err=0 text= " I know the password is the correct one since I can issue the login command in a shell and try to login, it doesn't tell me that my login is incorrect. However it will not let me login through telnet or the regular login prompt. I'm on Solaris 9 btw. Thanks, Vinh

2 2

cn=config and cn=monitor questions
by Ron Aitchison 04 Feb '08

04 Feb '08

I'm using 2.4.7 on Freebsd (5.4 and 6.2) and have a couple of questions: I had a couple of nasty signal 11 crashes trying to start cn=monitor using cn=config (OK - a tad ambitious) which obviously lost all my configuration changes: Question 1: Is there anyway I can force or control an update to the cn=config LDIF files in slapd.d To get cn=monitor running I finally dropped back into slapd.conf and reconverted to slapd.d now I have three more questions about cn=monitor: Question 2: The log section in the 2.4 manual (18.4.5) has a slightly bizarre explanation suggesting that the log values are controlled via the description attribute. Whereas the description attribute under cn=log,cn=monitor suggests that they are controlled via managedInfo attributes which seems more sensible. Perhaps someone could confirm. Question 3: I have a olcLogLevel attribute of any (-1) visible through cn=config but was surprised this was not used to initialize the log settings of cn=log,cn=monitor. I added a managedInfo attribute under cn=log,cn=monitor (for ACL) which did precisely zilch (it did not add a logging object which I would have expected). Further after a stop/start the managedInfo attribute had disappeared from cn=log,cn=monitor. Question 4: Where is/are the schema/objectclasses for cn=monitor stored! I tried to get them using cn=subschema,cn=monitor - nada. Thanks in advance for any help -- Ron Aitchison www.zytrax.com ZYTRAX ron(a)zytrax.com tel: 514-315-4296 Suite 22 6201 Chemin Cote St. Luc Hampstead QC H3X 2H2 Canada Author: Pro DNS and BIND (Apress) ISBN 1-59059-494-0

2 6

Multimaster Replication
by Stephan Jennewein 04 Feb '08

04 Feb '08

Hi, I tried to do a Multimaster Replication the replication works quite nice, but since I activated it I can't edit my ldap directory. When ever I try to I get "server is unwilling to perform". It seems as I'm not authenticated, but I am. I use openldap 2.4.7 in debian testing. Here is the logfile: daemon: read active on 17 connection_get(17) connection_get(17): got connid=3 connection_read(17): checking for input on id=3 conn=3 op=0 do_bind >>> dnPrettyNormal: <cn=admin,dc=bar,dc=de> <<< dnPrettyNormal: <cn=admin,dc=bar,dc=de>, <cn=admin,dc=bar,dc=de> conn=3 op=0 BIND dn="cn=admin,dc=bar,dc=de" method=128 do_bind: version=3 dn="cn=admin,dc=bar,dc=de" method=128 ==> bdb_bind: dn: cn=admin,dc=bar,dc=de conn=3 op=0 BIND dn="cn=admin,dc=bar,dc=de" mech=SIMPLE ssf=0 do_bind: v3 bind: "cn=admin,dc=bar,dc=de" to "cn=admin,dc=bar,dc=de" send_ldap_result: conn=3 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 conn=3 op=0 RESULT tag=97 err=0 text= daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 17r daemon: read active on 17 connection_get(17) connection_get(17): got connid=3 connection_read(17): checking for input on id=3 conn=3 op=1 do_add conn=3 op=1 do_add: dn (ou=foo,dc=bar,dc=de) >>> dnPrettyNormal: <ou=foo,dc=bar,dc=de> <<< dnPrettyNormal: <ou=foo,dc=bar,dc=de>, <ou=foo,dc=bar,dc=de> conn=3 op=1 ADD dn="ou=foo,dc=bar,dc=de" bdb_dn2entry("ou=foo,dc=bar,dc=de") => bdb_dn2id("ou=foo,dc=bar,dc=de") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: tag=106 target="ou=foo,dc=bar,dc=de" matched="dc=bar,dc=de" send_ldap_result: conn=3 op=1 p=3 send_ldap_result: err=53 matched="" text="shadow context; no update referral" send_ldap_response: msgid=2 tag=105 err=53 conn=3 op=1 RESULT tag=105 err=53 text=shadow context; no update referral daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: activity on 1 descriptor Config for Host 1 and 2 are equal: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/sudo.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel any modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov.la moduleload accesslog.la sizelimit 500 tool-threads 1 backend bdbdatabase bdb suffix "dc=bar,dc=de" rootdn "cn=admin,dc=bar,dc=de" rootpw "f00b4r" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectclass,entryCSN,entryUUID eq lastmod on checkpoint 512 30access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=bar,dc=de" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=bar,dc=de" write by * read syncrepl rid=000 provider=ldap://legs.bar.de type=refreshAndPersist retry="5 5 300 +" searchbase="dc= bar,dc=de" attrs=* schemachecking=on bindmethod=simple binddn="cn=admin,dc=bar,dc=de" credentials="f00b4r" overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100

4 4

How to fetch ca server certificate from LDAP server using library call
by Digambar Sawant 03 Feb '08

03 Feb '08

Hi, Is there any way to fetch the CA certificate from LDAP server using OpenLDAP C SDK? I am using openldap-2.0.3 libraries. Consider that the AAA server is running securely with following files: 1. server certificate 2. ca certficate 3. server key On client side, how do I get the ca certficate? I don't want to copy it manually by doing scp/http. Is there any library call available to accomplish this? Please help. Thanks, Digambar

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008