slapd crashes due to empty user password
by Simon Gao
Hi,
I am seeing slapd crashing repeatedly when assigning empty password to a
user account. The version is 2.3.39. Is this a known problem?
Or another question is how do we disable a user account with OpenLDAP?
Simon
15 years, 1 month
BDB error
by Sumith Narayanan
Hi All,
I installed OpenLDAP 2.3.39 & BDB 4.4.20 backend. Loaded data with slapadd.
After that when I restart , I get the below error.
Any pointers to help fix this would be great.
Apr 17 09:44:43 dsx1 slapd[10206]: bdb_db_open: unclean shutdown detected;
attempting recovery.
Apr 17 09:44:44 dsx1 slapd[10206]: bdb(o=root dn): Log file corrupt at LSN:
[10][10485679]\nApr 17 09:44:44 dsx1 slapd[10206]: bdb(o=root dn): PANIC:
Invalid argument\nApr 17 09:45:04 dsx1 slapd[10206]: bdb(o=root dn): unable
to join the environment\nApr 17 09:45:04 dsx1 slapd[10206]: bdb_db_open:
Database cannot be recovered, err -30974. Restore from backup!\nApr 17
09:45:04 dsx1 slapd[10206]: bdb(o=root dn): DB_ENV->lock_id_free interface
requires an environment configured for the locking subsystem\nApr 17
09:45:04 dsx1 slapd[10206]: bdb(o=root dn): txn_checkpoint interface
requires an environment configured for the transaction subsystem\nApr 17
09:45:04 dsx1 slapd[10206]: bdb_db_close: txn_checkpoint failed: Invalid
argument (22)\nApr 17 09:45:04 dsx1 slapd[10206]: backend_startup_one:
bi_db_open failed! (-30974)\nApr 17 09:45:04 dsx1 slapd[10206]:
bdb_db_close: alock_close failed\nApr 17 09:45:04 dsx1 slapd[10206]: slapd
stopped.\n
Thanks, Sumith.
15 years, 1 month
syncrepl with accesslog database
by John Morrissey
I'm trying to replicate (with syncrepl) the bdb database generated by the
accesslog overlay. This is with 2.3.41 on both provider and consumer. slapd
complains:
do_syncrep2: rid 002 got empty syncUUID
do_syncrepl: rid 002 retrying (29 retries left)
Sure enough, the entry for my accesslog database's suffix doesn't have an
entryUUID:
dn: cn=log
objectClass: auditContainer
cn: log
structuralObjectClass: auditContainer
contextCSN: 20080313163024Z#000000#00#000000
lastmod is not explicitly enabled for this database, but slapd.conf(5) says
the default is on. I'm reasonably sure I didn't specify 'lastmod off' for
that database at the time it would have been created.
Given that my consumers are using delta-syncrepl (hence the accesslog), is
there any reason I can't/shouldn't replicate the accesslog itself, too?
john
--
John Morrissey _o /\ ---- __o
jwm(a)horde.net _-< \_ / \ ---- < \,
www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
15 years, 1 month
PPolicy Questions
by Todd Merrill
Hello,
I hope this is the place to send such questions. I'm having problems
getting started with ppolicy.
I am trying to specify a specific ppolicy entry for users without
using the slapd.conf default policy. Our OpenLDAP deployment
environment in Red Hat uses version 2.3.33.
>From what I have read (elsewhere since the manual is missing the
ppolicy config info), I must first add a new policy of objectclass
'pwdPolicy" in the policy list. I have done that without problem. I
must then indicate for the users that use that policy, the DN of the
new policy in the field 'pwdPolicySubentry'.
My problem at this point is that I see no objectclass that contains
this field. In reading the ppolicy.schema file I see that the type
'pwdPolicySubentry' is described there, but commented out. The odd
thing though, is that even though it is commented out, I can see the
type in my LDAP browser when I look for a list of types, and I see no
description of it in the other .schema files.
I did read on someone's site that the user entry should be an
objectclass of 'pwdPolicy' and then the 'pwdPolicySubentry' field can
be entered, but in the ppolicy.schema document, 'pwdPolicySubentry' is
not described in the list of fields for objectclass 'pwdPolicy'.
Do I have to edit the ppolicy.schema to get the overlay to work this
way? I'm new to LDAP so perhaps I'm not understanding something
basic.
Any help or suggestions would be very helpful.
-Todd Merrill
15 years, 1 month
Problem loading LDIF data in openldap 2.4.8
by benoitde@sympatico.ca
Hi,
I tried to load a slapcat dump from OpenLDAP 2.3.27 into OpenLDAP 2.4.8,
and had problems with java entries. I narrowed down the problem with
this simple test case:
LDIF:
dn: cn=REQUEST,dc=example,dc=com
javaClassName: com.ibm.mq.jms.MQQueue
objectClass: javaContainer
objectClass: javaObject
objectClass: javaNamingReference
javaFactory: com.ibm.mq.jms.MQQueueFactory
cn: REQUEST
javaReferenceAddress: #0#VER#6
javaReferenceAddress: #1#EXP#-2
javaReferenceAddress: #2#PRI#-2
javaReferenceAddress: #3#PER#-2
javaReferenceAddress: #4#CCS#1208
javaReferenceAddress: #5#TC#1
javaReferenceAddress: #6#ENC#273
javaReferenceAddress: #7#FIQ#1
javaReferenceAddress: #8#QU#REQUEST
javaReferenceAddress: #9#QMGR#QM
Load of this LDIF in OpenLDAP 2.3.27:
ldapadd -D"cn=Manager,dc=example,dc=com" -W -x -f /tmp/bug.ldif
Enter LDAP Password:
adding new entry "cn=REQUEST,dc=example,dc=com"
Works, but in OpenLDAP 2.4.8:
ldapadd -h sdco1cdba -p 1389 -D"cn=Manager,dc=example,dc=com" -W -x -f /tmp/bug.ldif
Enter LDAP Password:
adding new entry "cn=REQUEST,dc=example,dc=com"
ldap_add: Object class violation (65)
additional info: instanstantiation of abstract objectClass 'javaObject' not allowed
And the entry is not loaded. I tried to define the entry with the
JMSAdmin tool that comes with IBM MQ, but could not load it either in
2.4.8, it worked against 2.3.27. A wireshark dump showed that the tool
received the same error as ldapadd.
I performed a "diff" on the java.schema of 2.4.8 and 2.3.27, but the schemas
are identical.
Is there any way that I could circumvent this problem?
Thanks!
15 years, 1 month
fast slapcat and slow slapadd
by Piotr Wadas
Hello,
Using openldap 2.3.38 on 2.6.24 with bdb/hdb backend.
I got about 12-13 000 entries in my directory.
Slapcat takes seconds, while slapadd takes 15 minutes or more.
Is there any way to speed it up, which I've missed?
to slapadd I do:
/etc/init.d/slapd stop &&
cd /var/lib/ldap && ls |grep -v DB_CONFIG|xargs rm &&
cat slapcat-output-file|slapadd
currently the best way to minimize downtime I found
is to replace "directory" line in slapd.conf, then
do slapadd "into" new physical location, and then
just stop slapd, change dirname, change directory line back,
and start again.
I'm afraid it's actually not slapd issue, but just
some file-reading/adding -related thing.
Is it some better workaround for this with newer release?
I'd be happy to jump to 2.4.7 series, but it still seems
a little bit unstable, segfaults sometimes with some
searches.
Regards,
PW
15 years, 1 month
A question about pwdMinAge
by Ryan Steele
Hey List,
I wanted to test the scenario where a user had forgotten his password,
and needed to have it reset. I wanted to give this user the ability
change this temporary password if they wanted. To do this, I:
1. Executed ldappasswd, binding as the rootdn, to change the user's password
2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes
3. Logged in to the domain as the user
4. Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was
unable to change the password. So, it seems necessary to be able to
change that value for the user so he/she can change their password. I
couldn't find an attribute called pwdMinAge, but I'm assuming that's
because it just looks at pwdChangedTime. I 'assume' because I couldn't
find explicit documentation stating this, though the man page definition
for pwdChangedTime says "[pwdChangedTime] is used by the password
expiration policy to determine whether the password is too old to be
allowed to be used for user authentication." Is this why I see a
NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change
a password that is being protected by pwdMinAge?
And, is executing an ldapmodify the proper thing to do in this situation
to change the pwdChangedTime and allow the user to change his/her
password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W
dn: uid=someuser,ou=Users,dc=example,dc=com
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 1207690188Z
Thanks as always,
Ryan
15 years, 1 month
BDB error while starting openldap.
by Sumith Narayanan
Hi,
I am getting the below error while starting openLDAP.
bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slapd shutdown: initiated
====> bdb_cache_release_all
====> bdb_cache_release_all
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
However, if I am using sudo access, I get no error and could
successfully start the server and search the DB.
Could anyone please help let me know what the cause for this error is ?
I am using Berkeley DB 4.4.20
OpenLDAP version : 2.3.39
Thanks, Sumith.
15 years, 1 month
insecure, convenient use of SSL
by Jason Dusek
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though
-- or if it's possible. By default, OpenLDAP is wound up pretty
tight.
--
_jsn
15 years, 1 month
Not able to get GSSAPI in supportedSASLMechanisms list
by Padmavathi Dt
Hii List,
I am trying to get LDAP with SASL-GSSAPI mechanism.
I have openldap-2.4.7 on RHEL 4.
I have installed Cyrus sasl-2.1.21.
I have compiled LDAP with cyrus SASL support as:
[root@as3 libexec]# env
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.6/lib:/usr/loc
al/lib/sasl2:/usr/local/ssl/lib"
CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include
-I/usr/local/ssl/include -I/usr/local/include"
LDFLAGS="-L/usr/local/ssl/lib -L
/usr/local/BerkeleyDB.4.6/lib -L/usr/local/lib/sasl2 " LIBS=-ldl
./configure --with-tls=openssl --with-cyrus-sasl
It was fine.
SASL was compiled as:
$ ./configure --disable-cram --disable-digest --disable-krb4
--disable-otp --enable-gssapi --with-gss_impl=mit
In /usr/lib/sasl2,it has
[root@as3 sasl2]# ls libgssapi*
libgssapiv2.la libgssapiv2.so libgssapiv2.so.2 libgssapiv2.so.2.0.19
When I run :
[root@as3 libexec]# saslauthd -V
saslauthd 2.1.21
authentication mechanisms: getpwent rimap shadow
I also have a working kerberos .I am able to get tickets from kerberos.I
have added ldap host principal to kerberos database.
I have my slapd.conf as: (sasl related part)
sasl-host as3
sasl-realm BSNL.COM
authz-regexp uid=([^,]*),cn=bsnl.com,cn=gssapi,cn=auth
uid=$1,ou=people,dc=bsnl,dc=com
(Also,I have added the first two lines after seing some mailing list.In
the admin guide nothing was mentioned about adding the two lines.Please
tell me whether it is correct?)
According to HOWTO doc from www.bayour.com,when we query ldap for
supportedSASLMechanisms,it should show GSSAPI(my whole purpose).But
when I give the following:
[root@as3 openldap]# /usr/bin/ldapsearch -H "ldaps://:12345" -x -b "" -s
base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
Does it mean that LDAP was not built with SASL support?
I have slapd.conf in /usr/lib/sasl2 as:
pwcheck_method: /usr/sbin/saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: plain login ntlm kerberos5
I am not able to get SASL-GSSAPI as supportedSASLMechanism.From where does
the LDAP get this list?
What should I do to add one more mechanism to supportedSASLMechanisms
list?
What may be the problem.....?
Please guide me....I was struck at this point and not able to come out
Thanx a lot in advance.....
Thanx and Regards,
Padmavathi
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
15 years, 1 month
