openldap-software January 2009

openldap-software@openldap.org

52 participants
59 discussions

Re: Tourble with my ldap config
by Quanah Gibson-Mount 20 Jan '09

20 Jan '09

--On Tuesday, January 20, 2009 7:28 PM +0100 Nathan Huesken <ldap(a)lonely-star.org> wrote: > Hi, > > Well, that makes sence. How can I find out where? The log does not tell > me. Please keep replies on the list. The log tells you that your config DB is missing a valid DN, I think that's a good place to start. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

LDAP Synchronisation
by Andi Gorhan 20 Jan '09

20 Jan '09

Hi, I have a very big Master Slave Replication (about few millon entrys). Now I want to start with syncrepl and I started both Servers. Now Slave got all information via syncrepl for the initial load. Is it possible to change the "initial load"-way? Maybe simply copying the whole DB from Master to Slave at the beginning, so that LDAP doesn't have to sync the whole DB? It is really slow. Hopefully you can help me. Andi

3 2

Tourble with my ldap config
by Nathan Huesken 20 Jan '09

20 Jan '09

Hi, I tried setting up a basic config under ubuntu. I get an erro. I posted the output of slapd -g openldap -u openldap -F /etc/ldap/slapd.d/ -d -1 bellow. I do not know what is wrong, something with my config I guess, but what? Thanks! Nathan @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd ldap_pvt_gethostbyname_a: host=*********, r=0 daemon_init: <null> daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 2 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! backend_startup_one: starting "cn=config" => str2entry: "cn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: Stats olcPidFile: /var/run/slapd/slapd.pid #olcReferral: ldap://********* olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 71356238-744f-102d-9b10-b5fb67f677b6 creatorsName: cn=config createTimestamp: 20090111171717Z entryCSN: 20090111171717.754132Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090111171717Z " str2entry: entry -1 has no dn => ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d//cn=config.ldif send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=51 matched="" text="" slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.

2 1

alock file
by Andi Gorhan 20 Jan '09

20 Jan '09

Hi, I want manually recover my DB. Do I have to delete the alock file also?Which meaning has the alock file? Thx, Andi

1 0

LDAP Indexing
by Andi Gorhan 20 Jan '09

20 Jan '09

Hi, Hopefully you can help me here. I only want to what the LDAP DB is doing if I start slapindex. It is clear for me that LDAP reindex all attributes but antoher is strange for me. The folder where LDAP is based grows up constantly. Is it writing in the cache? And when yes, why? Thank you and have a nice day. Andi

1 0

linked values
by Александр Фомичёв 19 Jan '09

19 Jan '09

Hi, everybody! Is there any possibility (via OpenLDAP, of course, without external scripts) to get the following functionality: When I change the value A, value C, combined from A + B, is updated automatically. For example, value "Full Name" has a form "Andrew W Markus". There are three other fields - "First Name" (Andrew), "Middle Name" (W) and "Last Name" (Markus). I want the "Full Name" to be automatically updated when, for example, the "First Name" changes. Best regards. -- Alexander

2 1

Re: syncrepl problem - nothing updated after initial syncronisation
by Dieter Kluenter 16 Jan '09

16 Jan '09

Rein Tollevik <rein(a)OpenLDAP.org> writes: > Dieter Kluenter wrote: >> "Carl Johnstone" <carl.johnstone(a)gmgrd.co.uk> writes: >> >>> Trying to get 2 slapd servers setup for multi-master replication - >>> they will eventually be in different physical locations. Once I've got >>> the 2 servers running OK, I'll be adding in a 3rd location. I've >>> followed the admin guide, using cn=config and have attached a LDIF >>> dump of the config (with schemas removed). >>> >>> When I bring up the second server, with a minimal config. It correctly >>> replicates across cn=config and sets up the main DB. It then correctly >>> copies across all the data in the main DB to bring itself up-to-date >>> with the server that's already setup. However from the point I bring >>> it online it doesn't replicate any further changes to the first >>> server. If I restart the second server the contextCSN is updated, >>> however no other changes are replicated across. >>> >>> Is there anything obviously wrong with my config? Or have I hit a >>> known problem? >> remove the URI part from serverID. > > No! This is required when using a common config, which again is > implied by a replicated cn=config. Each server in a multi-master > configuration *must* have separate serverIDs, and using the URI > version of the serverID is the only way multiple servers with the same > config can achieve that. > > The URI part of the serverID must match (one of the) listeners slapd > uses (its -h arguments). Start the servers with "-d config" and > verify that they report different and non-zero SID= values. This will lead to a contextCSN with a serverID 000 reference and will disable any synchronization. -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

2 1

Do we need to setup syncrepl along with back_ldap for proxying?
by Steven Truong 15 Jan '09

15 Jan '09

Dear, all. Do I need to set up syncrepl on the same proxy server that use back_ldap in order to proxy to my master/provider openldap server. (Master/provider openldap server) <-------- (consumer that does proxy to openldap master/provider server) [MY CURRENT SETUP) or should I set up (Master/provider openldap server) <-------- (consumer that doest proxy and _ALSO_ _SYNCREPL_ to openldap master/provider server) With the following setup, I can not seem to get any data from that provider openldap server... --------------------- include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/core.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/cosine.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/inetorgperson.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/nis.schema include /usr/local/etc/samba.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args loglevel any #modulepath /usr/local/stow/openldap-2.4.13/libexec/openldap modulepath /usr/local/libexec/openldap/ #just for testing, load hdb moduleload back_hdb moduleload back_ldap timelimit unlimited sizelimit unlimited threads 8 ################################################################## database ldap uri "ldap://192.168.28.200" suffix "ou=people,dc=mynetwork,dc=com" rootdn "cn=admin,dc=mynetwork,dc=com" idassert-bind bindmethod=simple binddn="uid=proxy,ou=proxy,dc=mynetwork,dc=com" credentials="SunShine" mode=none # tls start #tls_cacertdir=/usr/local/etc/openldap/cacerts idassert-authzFrom dn.subtree="ou=people,dc=mynetwork,dc=com" ------------------------------------- Here is my ldap.conf [root@ext cache]# cat /usr/local/etc/openldap/ldap.conf #URI ldap://localhost URI ldap://192.168.28.111/ #URI ldap://192.168.28.200/ BASE ou=people,dc=mynetwork,dc=com SIZELIMIT 0 TIMELIMIT 0 I did a ldapsearch and got nothing but "ldap_result: Can't contact LDAP server (-1)" [root@ext cache]# ldapsearch -d 1 -v -x -W -D "uid=mydude,ou=people,dc=mynetwork,dc=com" ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.28.111:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.28.111:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x102de7f0 msgid 1 wait4msg ld 0x102de7f0 msgid 1 (infinite timeout) wait4msg continue ld 0x102de7f0 msgid 1 all 1 ** ld 0x102de7f0 Connections: * host: 192.168.28.111 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jan 15 13:51:05 2009 ** ld 0x102de7f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x102de7f0 request count 1 (abandoned 0) ** ld 0x102de7f0 Response Queue: Empty ld 0x102de7f0 response count 0 ldap_chkResponseList ld 0x102de7f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x102de7f0 NULL ldap_int_select read1msg: ld 0x102de7f0 msgid 1 all 1 ber_get_next ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result: Can't contact LDAP server (-1) -------------------- I read the http://www.openldap.org/doc/admin24/replication.html#Configuring%20the%20di… and found out that syncrepl were used in the examples but I had the impression that I do not need syncrepl from reading the man page of slapd-ldap. Please provide me with the correct ways to implement an openldap proxy server. Thank you.

2 3

how to replace multiple attributes?
by Adam Williams 15 Jan '09

15 Jan '09

With openldap 2.3 the following ldif would load fine with ldapmodify: dn: uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us changetype: modify sambaProfilePath: \\preshs\profiles\panderson sambaHomePath: \\preshs\panderson sambaLogonScript: scripts\panderson.bat sambaHomeDrive: R: Over the weekend I upgraded to OpenLDAP 2.4.12. I was googling and I think my ldif now needs to look like this, but I get an error when trying to load it, and I'm not sure why, any ideas? dn: uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us changetype: modify replace: sambaProfilePath sambaProfilePath: \\preshs\profiles\panderson - replace: sambaHomePath sambaHomePath: \\preshs\panderson - replace: sambaLogonScript: sambaLogonScript: scripts\panderson.bat - replace: sambaHomeDrive sambaHomeDrive: R: [root@roark ldap]# ldapmodify -D "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxx -x -v -f profilepaths.ldif ldap_initialize( <DEFAULT> ) ldapmodify: invalid format (line 5) entry: "uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us" if I take out the lines that are only a - and run it, it only replaces the first attribute: [root@roark ldap]# ldapmodify -D "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxx -x -v -f profilepaths.ldif ldap_initialize( <DEFAULT> ) replace sambaProfilePath: \\preshs\profiles\panderson modifying entry "uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us" modify complete how can I get ldapmodify to replace all 4 lines in one ldif file?

4 7

Local rewrite and authz-regexp
by Mathieu MILLET 14 Jan '09

14 Jan '09

Hi everyone, In this period, a "Happy new year" is most appropriate, isn't ? I have setup two servers in multimaster replication, with using SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and one for the replicator dn in data context) to authenticate the replication instances with SSL Certificates. I would like to implement a "local" rewrite of incoming requests (mostly BIND and Search operations) so that queries originating with dn like "cn=jdoe,ou=people,dc=local" are transformed in "uid=jdoe,ou=people,dc=local". I have two problems and one question : 1. I can't implement any olcRwmRewrite attribute. Any of the following lines in the olcOverlay={4}rwm.ldif file : olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-rewriteContext "default" olcRwmRewrite: {2}rwm-rewriteRule "cn=(.+),ou=people,dc=local$" "uid=$1,ou=people,dc=local" ":" give the error message (in debug mode) : ------------- [/etc/openldap/slapd.d/:1] unknown command '' olcRwmRewrite: value #0: <olcRwmRewrite> handler exited with 1! config error processing olcOverlay={4}rwm,olcDatabase={2}hdb,cn=config: <olcRwmRewrite> handler exited with 1 send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=80 matched="" text="" slaptest: bad configuration directory! -------------- Those lines were generated by slaptest from a working slapd.conf file 2. Segfault at startup (or when pushing LDIF configuration - maybe at first sync): The segfault point varies from one startup to another, always after a TLS negociation (it is the syncrepl instance with itself) and sometimes the following lines appear: ldap_msgfree [rw] searchDN: "dc=app,dc=eiffage,dc=loc" -> "dc=app,dc=eiffage,dc=loc" => bdb_entry_get: ndn: "(null)" => bdb_entry_get: oc: "(null)", at: "contextCSN" bdb_dn2entry("(null)") Erreur de segmentation Even when the overlay configuration LDIF file is reduced to the following : dn: olcOverlay={4}rwm objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {4}rwm structuralObjectClass: olcRwmConfig If I remove the overlay configuration LDIF file, the server starts working immediately. 3. Where can I find documentation about olcRwmTFSupport and olcRwmNormalizeMapped, that slaptest generated for me ? For documentation, here are the authz_regexp : {0}cn=.*_repl_config,ou=AC-LDAP,o=myorg cn=config {1}cn=.*_replicator,ou=AC-LDAP,o=myorg cn=Replicator,ou=replicators,dc=local and the olcsyncrepl attributes look like this : {0}rid=001 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem {1}rid=002 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem {0}rid=201 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem {1}rid=202 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem Thanks in advance for any answer. Sincerely yours, Mathieu MILLET. -- Mathieu MILLET mailto:ldap@htam.net ----

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2009