Dynamic view
by Anders
Hello.
We are using OpenLDAP for user authentication. Now we want to reuse the
data for internal address books. My problem is that not all records should
be shown in the address books.
Just as an example, I might want to hide all records that have
(active=FALSE).
Adding the search constraint to every e-mail client is not suitable, as
the constraints will probably change over time.
I imagine having a virtual DN for address books, containing dynamic data
filtered according to my configuration. From reading the documentation, it
seems that an overlay would be the thing to use for this, but I have been
unable to find a suitable overlay. Does one exist? Or should I approach
this differently?
Thanks,
Anders.
12 years, 7 months
Re: smbk5pwd crash for missing symbol
by Guillaume Rousse
Love Hörnquist Åstrand a écrit :
>
> 28 maj 2008 kl. 02.57 skrev Guillaume Rousse:
>
>> + hdb_entry_set_pw_change_time(context, &ent, 0);
>> +
>> + if (krb5_config_get_bool_default(context, NULL, FALSE,
>> + "kadmin", "save-password", NULL)) {
>> + ret = hdb_entry_set_password(context,
>> + context->db, &ent, qpw->rs_new.bv_val);
>> + if (ret != 0)
>> + break;
>> + }
>
> As Howard said, you can drop this part. It needs to be done diffrenlty
> with the hdb backend.
>
> Other then that the patch looks fine.
I changed it, everything works OK now. Thanks to both of you.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
12 years, 7 months
slapd service terminates unexpectedly
by Kyle Blaney
I'm looking for help because our slapd service occasionally terminates
unexpectedly on Windows. I know that Windows isn't the ideal platform
and we're moving everything to Linux eventually but we need to put up
with Windows for a short while longer. Our configuration is OpenLDAP
2.3.39 with BDB 4.4.20 (although we've also seen the same problem in
OpenLDAP 2.3.38 and 2.3.41) built using MinGW/MSYS.
The problem is not readily reproducible but it has been seen on many
different systems. I don't have any further details because we've set
the service's recovery options to automatically restart the service when
it terminates unexpectedly. All reports indicate that the service is
not doing anything in particular when it unexpectedly terminates. For
exampe, it's not being heavily accessed. In fact, it often stops when
it's not being accessed at all. It runs perfectly well for hours or
days and then just stops before being automatically restarted. The only
indication that it even stops is an error logged in the Windows Event
Viewer by the Service Control Manager that says "The slapd service
terminated unexpectedly. This has happened 1 time(s)".
Are there any specific logging options I should turn on so that I can
provide more details as to what the service is doing just before it
terminates?
Is this likely to have the same root cause as ITS#5469 (Assertion
failure causes slapd crash):
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5469;selectid=5
469?
Kyle Blaney
Software Engineer, System Management
Nortel Networks
12 years, 7 months
Limit slapd memory usage on Windows?
by Kyle Blaney
Is there a way to limit slapd's memory usage on Windows? I ask because
we want to use OpenLDAP on memory-constrained systems. We're having
performance problems that occur when other applications start and they
need the memory used by slapd. A lot of page-swapping occurs and
performance suffers as a result.
I've tried to set a very small cachesize in slapd.conf and a very small
cache size in DB_CONFIG. However, those settings only decrease the
initial memory usage by slapd. When I add a single entry, slapd's
memory usage increases from 66 MB to 110 MB. When I add 100 more
entries, slap's memory usage increases to 276 MB. Even when I disable
all indexes, the memory usage is still similar. (The memory usage
numbers I state are the combination of slapd's private bytes and virtual
bytes as reported by the Windows Performance tool.) Is there some way
to tell slapd not to use more than X MB of memory even if it's available
in order to avoid future page swaps?
Note that I'm running OpenLDAP 2.3.39 with BDB 4.4.20 on Windows XP
Professional with Service Pack 2.
---
Kyle Blaney
Software Engineer, System Management
Nortel Networks
12 years, 7 months
Re: Pls help:delete missing in multi-master environment
by ST Wong (ITSC)
Right, I added redundant lines. Will test again after removing them.
Thanks for your help.
ST Wong (ITSC) wrote:
Hi all,
I set up a 2 server multi-master environment using OpenLDAP
2.4.9 + BerkeleyDB 4.6 on CentOS 5.1. Make test and simple load test on
add/mod/del are okay. However, seems some records are not replicated in
delete phrase when there are lot of simultaneous delete operations (e.g.
10 threads spawned from 2 clients to add/del 100 users in each threads).
I'm newbie to syncrepl and have no idea about the problem are scanning
debug output. My slapd.conf syncrepl section follows:
#master
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
#consumer
syncrepl rid=001
provider=ldaps://192.168.28.69
starttls=yes
tls_reqcert=never
tls_cacert=/etc/CA/cacert.pem
type=refreshAndPersist
retry="5 + 5 +"
searchbase="dc=mydomain,dc=hk"
schemachecking=off
bindmethod=simple
binddn="cn=replicator,ou=People,dc=mydomain,dc=edu"
credentials=secret
Would anyone pls help? Sorry for the newbie question.
Thanks a lot.
/st wong
Why are you running StartTSL on an ldaps server?
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
12 years, 7 months
Re: TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
by Dieter Kluenter
"Arkady Shoyhet" <Arkady.Shoyhet(a)aladdin.com> writes:
> OK ,folks,it is really not simple…
>
> HELP ME PLEASE…
[...]
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
>
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:562
>
> connection_read(11): TLS accept failure error=-1 id=1, closing
>
> connection_closing: readying conn=1 sd=11 for close
>
> connection_close: conn=1 sd=11
>
> WHY ??? What I am missing ?
one question mark should be sufficient.
something is wrong either with your certificate or with your TLS
configuration in slapd.conf and ldap.conf, please post the relevant
parts.
how did you create the certificates?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
12 years, 7 months
TLS with HPUX problem
by Adam Leach
Hi,
I'm having an issue with and LDAP-UX client and I'm hoping to shed some
light on this problem. I'm running OpenLDAP 2.3.39 on RHEL4 and my linux
clients connect fine with TLS. My HPUX clients however are having
problems. Here is what my slapd says when ran with a -d 255:
11daemon: activity on 1 descriptor
daemon: activity on:
>>> slap_listener(ldaps:///)
daemon: listen=8, new connection on 17
daemon: added 17r (active) listener=(nil)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 17r
daemon: read active on 17
connection_get(17)
connection_get(17): got connid=39
connection_read(17): checking for input on id=39
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 30 1d 02 01 01 77 18 80 16 31 2e
0....w...1.
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:580
connection_read(17): TLS accept failure error=-1 id=39, closing
connection_closing: readying conn=39 sd=17 for close
connection_close: conn=39 sd=17
daemon: removing 17
I'm not sure if it's using a different version of SSL or what. Please help
as this is the final step before deploying OpenLDAP on my system.
Thanks
--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
System Administrator - Raytheon
(304)677-4455
12 years, 7 months
Re: smbk5pwd crash for missing symbol
by Guillaume Rousse
Love Hörnquist Åstrand a écrit :
>
> 27 maj 2008 kl. 02.18 skrev Guillaume Rousse:
>
>> I tried this approach (patch attached).
>>
>> Converting _kadm5_free_keys to hdb_free_keys is trivial, as the former
>> is just a wrapper over the second.
>>
>> However, converting _kadm5_set_keys to hdb_generate_key_set_password
>> is much more difficult. I first tried to inline all code from
>> _kadm5_set_keys in smbk5pwd.c. However, gcc complains about "request
>> for member ‘context’ in something not a structure or union" because it
>> doesn't have any clue about the nature of kadm_context, which is a
>> void ponter for smbk5pwd. Trying to cast it as a kadm5_server_context
>> pointer fails, as this seems also to be a private heimdal structure...
>>
>> Given my lack of C knowledge, I'm a bit stuck there.
>
> You can use the krb5_contex that is global in the module, just change
> the code to use context instead of kadm5_context.
Slightly better but I still can't access its members:
smbk5pwd.c:416: error: dereferencing pointer to incomplete type
According to my understanding, kadm_context type is a pointer to an
internally-defined krb5_context_data structure.
Inlining private function is not straightforward, especially for dumb C
programmers :)
Updated patch attached.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
--- smbk5pwd.c~ 2008-02-12 00:34:15.000000000 +0100
+++ smbk5pwd.c 2008-05-28 11:05:18.000000000 +0200
@@ -368,6 +368,8 @@
struct berval *keys;
int kvno, i;
Attribute *a;
+ Key *local_keys;
+ size_t local_num_keys;
if ( !SMBK5PWD_DO_KRB5( pi ) ) break;
@@ -396,7 +398,26 @@
op->o_log_prefix, e->e_name.bv_val, 0 );
}
- ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
+ /* _kadm5_set_keys is a private function, inline its code here */
+ ret = hdb_generate_key_set_password(context, ent.principal,
+ qpw->rs_new.bv_val, &local_keys, &local_num_keys);
+ if (ret != 0)
+ break;
+
+ hdb_free_keys(context, ent.keys.len, ent.keys.val);
+ ent.keys.val = local_keys;
+ ent.keys.len = local_num_keys;
+
+ hdb_entry_set_pw_change_time(context, &ent, 0);
+
+ if (krb5_config_get_bool_default(context, NULL, FALSE,
+ "kadmin", "save-password", NULL)) {
+ ret = hdb_entry_set_password(context,
+ context->db, &ent, qpw->rs_new.bv_val);
+ if (ret != 0)
+ break;
+ }
+
hdb_seal_keys(context, db, &ent);
krb5_free_principal( context, ent.principal );
@@ -415,7 +436,7 @@
}
BER_BVZERO( &keys[i] );
- _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
+ hdb_free_keys(context, ent.keys.len, ent.keys.val);
if ( i != ent.keys.len ) {
ber_bvarray_free( keys );
12 years, 7 months
smbk5pwd crash for missing symbol
by Guillaume Rousse
Hello list(s).
I'm having a crash as soon as I attempt to change my password when
smbk5pwd is activating. strace shows an unresolved symbol in
smbk5pwd.so: _kadm5_free_keys
Heimdal source code shows this function is defined in libkadm5srv.so
(/usr/lib/libkadm5srv.so.8.0.1) for heimdal 1.1. But this seems to be a
private symbol, as objdump -T doesn't list it. Looking at heimdal
Makefile.am, it seems a special configuration file is used
(lib/krb5/version-script.map) to filter exported symbols, if linker
support the use of -Wl,--version-script option. I couldn't find any
description of this option.
Is this possible smbk5pwd author would have by mistake used a private
function, only working because he build heimdal on a host whose linker
doesn't support --version-script option ?
I'm using heimdal 1.1 and openldap 2.4.8 on mandriva linux.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
12 years, 7 months
