openldap-software April 2008

openldap-software@openldap.org

77 participants
72 discussions

LDAPMod field types
by Bernd Jendrissek 15 Apr '08

15 Apr '08

I'm building a big piece of inherited code that uses OpenLDAP extensively, and now that we're (trying to) switch to FreeBSD 7.0, GCC complains quite a bit more than before: 43 modFormat.mod_op = LDAP_MOD_ADD; 44 modFormat.mod_type = "rocketseedFormat"; 45 vformat[0] = "2"; 46 vformat[1] = NULL; 47 modFormat.mod_values = vformat; rscode/rocketutil/mydap.cpp:44: warning: deprecated conversion from string constant to 'char*' rscode/rocketutil/mydap.cpp:45: warning: deprecated conversion from string constant to 'char*' Are we risking some sort of free()-based crashes by populating the struct with string constants? I grepped for mod_type in the OpenLDAP source and couldn't find any explicit dependency on the strings being dynamically allocated (except for ldap_mods_free(), which we don't call). That doesn't mean there exists no such dependency! Would it be safe to const_cast<char *> the string constants, or will I need to wrap each with a strdup() and ldap_mods_free() it all after we're done? Thanks

2 1

ppolicy
by Rick Stevens 14 Apr '08

14 Apr '08

I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext From ldapsearch -b "ou=policies...": dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdMinAge: 86400 pwdMaxAge: 7776000 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdMaxFailure: 3 pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: TRUE When I add a user and do an ldapsearch of that user, should I see any of the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in the entry right off the bat or must something happen first (such as having the user change their password)? I ask because I see nothing and hence don't know if ppolicy is ruling the roost or not. Does ppolicy only affect a specific objectClass of entry (e.g. "inetOrgPerson") or will it take effect on any entry with a "userPassword" entry? None of my user accounts have "inetOrgPerson" object classes. Typical entry: dn: uid=testuser,ou=People,dc=billing,dc=com uid: testuser cn: Test User objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 1 shadowMax: 90 shadowWarning: 7 loginShell: /bin/bash gecos: Test User homeDirectory: /home/testuser uidNumber: 32004 gidNumber: 32004 userPassword:: OXgtJnhFM2VsZVls shadowLastChange: 13978 Oh, by the way, that user was JUST added. -- ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2(a)socal.rr.com - - - - I haven't lost my mind. It's backed up on tape somewhere, but - - probably not recoverable. - ----------------------------------------------------------------------

6 10

ldapmodify hangs
by Adam Williams 14 Apr '08

14 Apr '08

I have an .ldif that is: dn: uid=hholmes,ou=People,dc=mdah,dc=state,dc=ms,dc=us changetype: modify sambaProfilePath: \\roark\profiles\hholmes sambaHomePath: \\roark\hholmes sambaLogonScript: \\roark\netlogon\scripts\hholmes.bat sambaHomeDrive: R: dn: uid=lhosey,ou=People,dc=mdah,dc=state,dc=ms,dc=us changetype: modify sambaProfilePath: \\roark\profiles\lhosey sambaHomePath: \\roark\lhosey sambaLogonScript: \\roark\netlogon\scripts\lhosey.bat sambaHomeDrive: R: dn: uid=bkearney,ou=People,dc=mdah,dc=state,dc=ms,dc=us changetype: modify sambaProfilePath: \\roark\profiles\bkearney sambaHomePath: \\roark\bkearney sambaLogonScript: \\roark\netlogon\scripts\bkearney.bat sambaHomeDrive: R: and when I run it with: [root@roark ldap]# ldapmodify -D "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxxxxx -x -v -f profilepaths.ldif ldap_initialize( <DEFAULT> ) replace sambaProfilePath: \\roark\profiles\hholmes replace sambaHomePath: \\roark\hholmes replace sambaLogonScript: \\roark\netlogon\scripts\hholmes.bat replace sambaHomeDrive: R: modifying entry "uid=hholmes,ou=People,dc=mdah,dc=state,dc=ms,dc=us" modify complete it hangs at modify complete and doesn't go on to the next person which is lhosey. Why is this? I'm running openldap 2.3.39.

2 1

restricting slapd memory consumption
by Ralf Narozny 14 Apr '08

14 Apr '08

Hi, I'm wondering, how I could restrict the memory usage of the slapd process. We got a quite large amount of data (23 million entries) in our login ldap. Since we are still using OpenLDAP 2.0 and of course want to migrate now, I added our data into an OpenLDAP 2.3.37 (this version will be updated soon). The problem I stumble over is that while inserting the data with ldapadd (mainly to check the performance we have to expect in the future), the amount of memory the slapd uses endlessly grows. The slapd process uses 11GB of memory after the insert has finished. We are using the BDB backend which is currently configured to use 4GB of shared memory. Machine: Linux masterldap 2.6.21.5 #1 SMP Mon Jul 2 13:54:33 CEST 2007 x86_64 GNU/Linux, with 2 Dual-Core AMD Opteron(tm) Processor 2218 and 16GB of RAM. slapd.conf (converted to cn=config format): include /usr/local/our/ldap/etc/openldap/schema/core.schema include /usr/local/our/ldap/etc/openldap/schema/our.schema pidfile /usr/local/our/ldap/var/ldap/run/slapd.pid argsfile /usr/local/our/ldap/var/ldap/run/slapd.args # Load dynamic backend modules: modulepath /usr/local/our/ldap/lib moduleload back_bdb.la access to * by * write loglevel 0 sizelimit 10000 timelimit 3600 cachesize 1000000 tool-threads 2 # backend definition backend bdb database config rootdn "cn=root,cn=config" rootpw {SSHA}*** ####################################################################### # BDB database definitions ####################################################################### # first database definition & config directives database bdb directory /usr/local/our/ldap/var/ldap/openldap-data/ replogfile /usr/local/our/ldap/log/replica.log suffix "o=our" rootdn "cn=root,o=our" rootpw {SSHA}*** index cid eq index cn eq,sub index objectClass eq index folderName eq index locked eq DB_CONFIG: set_flags DB_LOG_AUTOREMOVE set_cachesize 4 0 2 set_lg_max 524288000 set_lg_regionmax 512000 set_lg_bsize 268435456

7 17

Authentication in openldap
by Jyotishmaan Ray 14 Apr '08

14 Apr '08

Please see below for your reply Please let me know whatyou meant by saying ppolicy overlay and may I know, where theattributes-pwdLockout and pwdLockoutDuration are(available in whichobjectClass )? Kindly let me know if youhave done it usinga filter-based acl to disable a given user's uid forsometime -here thequestion, rises can time be defined ? Thanks, Jyotishmaan Ray Moderator Of Paradise Groups http://yahoogroups.com/group/Spirituality-Paradise Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!! Please Join Immediately By Sending A Blank Mail @ Spirituality-Paradise-subscribe(a)yahoogroups.com ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

on Authentication in openldap
by Jyotishmaan Ray 14 Apr '08

14 Apr '08

Hello List, I have a question in my mind, which I think probably, can be ansered by you-it is as below:- If there are anywayz that, on successful credentials match too, authentication can be stopped by returning false?? Inotherwords when a user logs on and he is being asked to enter his uid andpassword and then it is checked with the entry stored in the database which returns either True/ False resulting into ansuccessful/unsuccessful authentication. Is it possible tomake it a unsuccessful authentication manually for a specific userwithout hampering the user's password-this i need in order to disablethe user from the openldap server for some interval of time. (This I want to do, in order to suspend the user to log on for some time, temporarily.) Please throw some pointers in this direction !!!! Thanks, Jyotishmaan Ray Moderator Of Paradise Groups http://yahoogroups.com/group/Spirituality-Paradise Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!! Please Join Immediately By Sending A Blank Mail @ Spirituality-Paradise-subscribe(a)yahoogroups.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

3 2

error while adding entry using ldap.jar JAVA API
by Sumith Narayanan 12 Apr '08

12 Apr '08

Hi All, I am trying to add a dn to openLDAP using novell's ldap.jar APIs. When I try to add a record it error out with the below exception 1% times : com.novell.ldap.LDAPException: No Such Object : (32) No Such Object at com.novell.ldap.LDAPResponse.getResultException(LDAPResponse.java:247) at com.novell.ldap.LDAPResponse.chkResultCode(LDAPResponse.java:174) at com.novell.ldap.LDAPConnection.add(LDAPConnection.java:1049) at com.novell.ldap.LDAPConnection.add(LDAPConnection.java:1015) at org.ietf.ldap.LDAPConnection.add(LDAPConnection.java:820) Could anyone provide any clue to help fix this ? openLDAP & DB details : The database which I am trying to update is 24GB in size, OpenLDAP 2.3.27 and BDB backend *4.4.20.* <http://4.4.20./> Mac OS Tiger with 4GB RAM. It will be receiving 100 searches / min at an average. Thanks, Sumith.

10 18

SASL DIGEST-MD5 and Realm
by Eric 11 Apr '08

11 Apr '08

Hello, I am running OpenLDAP v2.3.39 and have some questions regarding SASL. Is it possible to use realms with DIGEST-MD5 and no saslauthdb running? I am using ldap to store the uid and password and authz-regexp statements to map user ids. However, it seems that ldap tools do not pass the realm parameter to the server with my setup. example: ldapsearch -Y digest-md5 -U eric -R example.com slapd debug: do_sasl_bind: dn () mech DIGEST-MD5 SASL [conn=8] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=deploy,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=eric,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=eric,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=eric,cn=digest-md5,cn=auth to a DN How come the realm parameter is missing? Here is the authz-regexp I have in slapd.conf: authz-regexp uid=([^,]*),cn=example.com,cn=digest-md5,cn=auth ldap:///ou=users,dc=example,dc=com??sub?(&(uid=$1)(objectClass=posixAccount)) Thanks! Eric __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

1 0

Re: error while adding entry using ldap.jar JAVA API
by Sumith Narayanan 11 Apr '08

11 Apr '08

With BDB 4.4.20 & openldap-2.3.39 , I got a version incompatible error : checking Berkeley DB version for BDB/HDB backends... no configure: error: BDB/HDB: BerkeleyDB version incompatible Please suggest which BDB version I should use. Thanks, Sumith On Fri, Apr 11, 2008 at 2:37 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > Whatever ones are on the Oracle website for BDB 4.4.20, and one for the > region size problem. > > --Quanah > > > --On Friday, April 11, 2008 2:34 PM -0700 Sumith Narayanan < > sumith.narayanan(a)gmail.com> wrote: > > Thanks Quanah, > > > > > > So if I use 4.4.20 , which all patches do I need to apply ? just the > > region size one ? > > > > > > -=Sumith > > > > > > On Fri, Apr 11, 2008 at 2:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> > > wrote: > > > > The region size problem applies to 4.4.20 as well, but you may have to > > manually fix it. > > > > I've kept on 4.2.52 because I've seen no gain from 4.4 or 4.5 > > performance > > wise, and 4.2.52 has been quite stable. > > > > --Quanah > > > > > > > > > > --On Friday, April 11, 2008 2:04 PM -0700 Sumith Narayanan > > <sumith.narayanan(a)gmail.com> wrote: > > > > > > I am already on db-4.4.20 , do I need to downgrade that ? > > > > > > Thanks, Sumith > > > > > > On Fri, Apr 11, 2008 at 12:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com > > > > > wrote: > > > > > > --On Friday, April 11, 2008 12:32 PM -0700 Sumith Narayanan > > <sumith.narayanan(a)gmail.com> wrote: > > > > > > Thanks, > > > > > > I could download BDB4.2.52+5 patches from > > > > > > > > http://www.oracle.com/technology/software/products/berkeley-db/db/index.h > > tml > > > > > > Where can I get all the 6 paches ? > > > > > > < > > http://www.stanford.edu/services/directory/openldap/configuration/patche > > s/db/4252-region-fix.diff> > > > > > > > > Also , I how should I apply patch , in the oracle website , I just see > > the code that need to be added as a patch ? Do I manually make changes > > ? > > Please suggest the best approach > > > > > > I suggest familiarizing your self with the "patch" command. > > > > > > > > > > --Quanah > > > > -- > > > > Quanah Gibson-Mount > > Principal Software Engineer > > Zimbra, Inc > > -------------------- > > Zimbra :: the leader in open source messaging and collaboration > > > > > > > > > > > > > > -- > > > > Quanah Gibson-Mount > > Principal Software Engineer > > Zimbra, Inc > > -------------------- > > Zimbra :: the leader in open source messaging and collaboration > > > > > > > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Re: error while adding entry using ldap.jar JAVA API
by Sumith Narayanan 11 Apr '08

11 Apr '08

Thanks Quanah, So if I use 4.4.20 , which all patches do I need to apply ? just the region size one ? -=Sumith On Fri, Apr 11, 2008 at 2:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > The region size problem applies to 4.4.20 as well, but you may have to > manually fix it. > > I've kept on 4.2.52 because I've seen no gain from 4.4 or 4.5 performance > wise, and 4.2.52 has been quite stable. > > --Quanah > > > --On Friday, April 11, 2008 2:04 PM -0700 Sumith Narayanan < > sumith.narayanan(a)gmail.com> wrote: > > I am already on db-4.4.20 , do I need to downgrade that ? > > > > > > Thanks, Sumith > > > > > > On Fri, Apr 11, 2008 at 12:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com > > > > > wrote: > > > > > > --On Friday, April 11, 2008 12:32 PM -0700 Sumith Narayanan > > <sumith.narayanan(a)gmail.com> wrote: > > > > > > Thanks, > > > > > > I could download BDB4.2.52+5 patches from > > > > > > > > http://www.oracle.com/technology/software/products/berkeley-db/db/index.h > > tml > > > > > > Where can I get all the 6 paches ? > > > > > > < > > http://www.stanford.edu/services/directory/openldap/configuration/patche > > s/db/4252-region-fix.diff> > > > > > > > > Also , I how should I apply patch , in the oracle website , I just see > > the code that need to be added as a patch ? Do I manually make changes > > ? > > Please suggest the best approach > > > > > > I suggest familiarizing your self with the "patch" command. > > > > > > > > > > --Quanah > > > > -- > > > > Quanah Gibson-Mount > > Principal Software Engineer > > Zimbra, Inc > > -------------------- > > Zimbra :: the leader in open source messaging and collaboration > > > > > > > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2008