openldap-software December 2009

openldap-software@openldap.org

28 participants
29 discussions

Replication problem
by Luiz Gustavo P Tonello 17 Dec '09

17 Dec '09

Hi Folks! I have a problem with replication between ldap master and slave. When I change password, add new user or delete user, my slurpd.replog grows absurdly (like 1GB, 2GB the each minute). And my command not complete, because I need put Ctrl+C for can back my console. Well, that's situation don't repeat ever. Sometimes, I can execute all commands normally (smbldap-usershow, useradd, userdel, etc.), and a replication occur perfectly. Any ideas for this problem? BTW: When slurpd.replog growing, and I open this file, see that this repeat any times, like a loop, right? Thank's for any kind of help! -- Luiz Gustavo P Tonello.

2 1

Allow creation of one single entry (own addressbook)
by Lukas Haase 17 Dec '09

17 Dec '09

Hi, I adopted the address book sample from the FAQ but I want to have a separate hierarchy. Also included there: The public address book. Why? Because on the client I need to enter only one base and the global book automatically merges with the global one. This are my current ACLs: # admin is allowed to do all access to * by dn.exact="uid=admin,ou=int,ou=users,dc=example,dc=com" write by * break access to attrs=userPassword by anonymous auth by self =wscx by * none access to attrs=shadowLastChange,sambaNTPassword,sambaLMPassword by self =wscx by * none # individual books # read the own book access to dn.regex="^ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=entry,@organizationalUnit by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" read by * break # create children in address book access to dn.regex="^ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=children by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" write by * break # create entries access to dn.regex="[^,]+,ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=entry,@inetOrgPerson by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" write by * break # global access to dn.exact="ou=Address Book,dc=example,dc=com" by dn.regex="^uid=[^,]+,ou=int,ou=users,dc=example,dc=com$" read by * break access to dn.subtree="ou=global,ou=Address Book,dc=example,dc=com" by dn.regex="^uid=[^,]+,ou=int,ou=users,dc=example,dc=com$" read by * break # "reader" should be able to read anything else (libnss-ldap etc). access to * by dn="uid=reader,dc=example,dc=com" read by self read by * none Now I want the users to be also able to create their own container under ou=Address book. What is the correct ACL entry for that? Best regards, Luke PS: Is the ACL layout bad in common? What would you change? -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

1 0

Do we need Berkeley DB's Concurrent Data Store for Concurrency in OpenLDAP
by dfas dfas 16 Dec '09

16 Dec '09

Hi, I am currently looking to implement an OpenLDAP solution with a BDB backend that needs to support concurrent access by multiple users. As there are different flavours of the Berkeley DB available, can I just ask if we need to purchase the Concurrent Data Store version of Berkeley DB or can I just stay with the Data Store version? I ask this because OpenLDAP already has its own concurrency support and I was just wondering if this implies that OpenLDAP will ensure that BDB will only be accessed thru a single thread of control? Any help will be greatly appreciated. Thanks. New Email names for you! Get the Email name you've always wanted on the new @ymail and @rocketmail. Hurry before someone else does! http://mail.promotions.yahoo.com/newdomains/sg/

2 1

Re: changing userPassword from custom application
by Quanah Gibson-Mount 15 Dec '09

15 Dec '09

--On Tuesday, December 15, 2009 12:28 PM +0000 "J. Landamore" <jal(a)mcs.le.ac.uk> wrote: > Sorry to butt in on this, but how do you let the OpenLDAP server use its > default encryption? Since 2.4 whatever I have done stores the > userPassword attribute in clear text when using passwd(1) from our Linux > or Solaris boxes. ldappasswd states that is not a replacement for > passwd(1), what I'd like is to return to the state in OpenLDAP-2.2 and > previous where the passwords were stored encrypted in some fashion. > I've been banging my head about this for 3 months so any pointers would be > very much appreciated. If you have questions, please keep them on the list. Thanks. <http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion…> password-hash <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

OpenLDAP syncrepl message: AttributeDescription contains inappropriate characters
by Jorgen Lundman 14 Dec '09

14 Dec '09

openldap-2.3.41 db-4.2.52.NC-PLUS_5_PATCHES SunOS ldapmaster01.unix 5.10 Generic_127128-11 Our LDAP setup has been running rather well for the last 2 years or so, but increasingly we have had to restart slapd more and more frequently. Occasional core-dumps and "very large" process footprints as well. I suspect that it is perhaps stuck on replication, this message show up on the clients fairly frequently: Dec 14 11:30:49 forward01.unix slapd[10494]: [ID 190661 local4.debug] <= entry_decode: slap_str2undef_ad( 20091027142315Z#000001#00#000000): AttributeDescription contains inappropriate characters Dec 14 11:30:49 forward01.unix slapd[10494]: [ID 818565 local4.debug] null_callback: error code 0x50 Dec 14 11:30:49 forward01.unix slapd[10494]: [ID 776556 local4.debug] syncrepl_entry: rid 405 be_add failed (80) Dec 14 11:30:49 forward01.unix slapd[10494]: [ID 747041 local4.debug] do_syncrepl: rid 405 retrying (9 retries left) Which makes me think that it has been stuck since 20091027. Is there a way for me to find out which entry 20091027142315Z#000001#00#000000 refers to, so I can just delete it? (or fix it). The pertinent lines in ldapmaster are: lastmod on checkpoint 128 15 directory /usr/local/var/openldap-data index objectClass eq index uid eq index uidNumber eq index mail eq index mailAlternateAddress pres,eq index deliveryMode eq index accountStatus eq index gecos eq index radiusGroupName eq index o pres,eq index entryCSN,entryUUID eq index gidNumber eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 And each slave has identical conf, except for the RID which is based on the last octet of the IP address: lastmod on checkpoint 128 15 directory /usr/local/var/openldap-data index objectClass eq index uid eq index uidNumber eq index mail eq index mailAlternateAddress pres,eq index deliveryMode eq index accountStatus eq index gecos eq index radiusGroupName eq index o pres,eq index entryCSN,entryUUID eq index gidNumber eq syncrepl rid=405 provider=ldap://172.20.12.113 type=refreshAndPersist interval=00:00:00:30 searchbase="ou=mail,dc=gmo,dc=jp" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off updatedn="cn=admin,dc=gmo,dc=jp" bindmethod=simple binddn="cn=admin,dc=gmo,dc=jp" credentials="*censored*" retry="60 10 300 +" updateref ldap://172.20.12.113 In general, do they seem reasonable? Everything has been appearing to be correct, except for the 20091027 entry. What is the recommended procedure? Reading the documentation makes me think I should also index "ContextCSN"? A recent ldapmaster core was triggered here: #0 0xce7948da in t_delete () from /lib/libc.so.1 #1 0xce79417f in _malloc_unlocked () from /lib/libc.so.1 #2 0xce794058 in malloc () from /lib/libc.so.1 #3 0x08133175 in ber_memalloc_x () #4 0x08133487 in ber_dupbv_x () #5 0x0813352b in ber_dupbv () #6 0x0807c22e in attr_dup () ... which I believe is replication-related due to a post made earlier in the list. Most likely also fixed in later versions. Thanks for any reply, Jorgen Lundman -- Jorgen Lundman | <lundman(a)lundman.net> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)

1 1

no shared cipher error
by Josh.Mullis＠cox.com 12 Dec '09

12 Dec '09

Good day all, I am getting the following error on an openldap v2.3 server when attempting communication from an ldap client... ------------------------ TLS trace: SSL_accept:before/accept initialization TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello B TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:974 ------------------------ I only get this when connecting to openldap server from a client. I do not get this error when I use the openssl client / server commands method. Output below.... Thanks for any help. -Josh ----------------------------------------------------- openssl s_server -accept 1982 -cert /etc/openldap/cacerts/servercrt.pem -key /etc/openldap/cacerts/serverkey.pem ACCEPT -----BEGIN SSL SESSION PARAMETERS----- --hidden-text-- --hidden-text-- --hidden-text-- -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA ------------------------------------------------------ ------------------------------------------------------------------- openssl s_client -connect ldapurl.example.com:1982 -CAfile /path/to/cacert CONNECTED(00000003) depth=1 --hidden-text-- verify return:1 depth=0 --hidden-text-- verify return:1 --- Certificate chain 0 s:/--hidden-text-- i:/--hidden-text-- --- Server certificate -----BEGIN CERTIFICATE----- --hidden-text-- --hidden-text-- --hidden-text-- --hidden-text-- -----END CERTIFICATE----- subject=/--hidden-text-- issuer=/--hidden-text-- --- No client certificate CA names sent --- SSL handshake has read 1250 bytes and written 276 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: --hidden-text-- Session-ID-ctx: Master-Key: --hidden-text-- Key-Arg : None Start Time: 1260195189 Timeout : 300 (sec) Verify return code: 0 (ok) --- ---------------------------------------------------------------------------------------------

2 1

Asyncronous, non blocking back- connector for Openldap
by hptf 11 Dec '09

11 Dec '09

Hello all, I would like to know if any of you have ever experiment a NONBLOCKING, socket based back-* for OpenLdap server. For obscure reasons, out of the scope of this mailing list, I must compile openldap slapd with non-threaded option activated. The data storage, we get data from, is accessed via standard TCP socket; but some read can take time. Thus we cannot wait in a blocking TCP read . We start our experiment with a modified version of back-sock ( using TCP ), but this back- use a blocking scheduling model. Thus, How can we put in slapd scheduling loop an alien socket managed by a back- library ? ( SLAPD_ADD.... ?) How can back- be scheduled on socket reception ( Listener* ?) How can we asynchrously send LDAP response, and set the context for them What should be answered at the first ldap request ( in the back_search() for example) to say 'will be answered later' ? Any help, or pointer to help, even for only one of this point, would be much appreciate! hp tf

2 1

custom auth
by Marten Lehmann 10 Dec '09

10 Dec '09

Hello, for a mail relay setup I need to check a login and password against ldap by trying to bind with authentication. In my slapd.conf I have these lines (among others): suffix "dc=mail" rootdn "cn=admin,ou=users,dc=mail" access to attrs=userPassword by anonymous auth by * none How do I tell OpenLDAP to authenticate against cn=<login>,ou=users,dc=mail and its userPassword attribute? Kind regards Marten

3 3

unexpected userPassword content
by Marten Lehmann 10 Dec '09

10 Dec '09

Hello, I am writing a MD5-password to openldap: cleartext: 654321 md5: c33367701511b4f6020ec61ded352059 hex2b64: wzNncBURtPYCDsYd7TUgWQ== So in my call, I am setting userPassword={MD5}wzNncBURtPYCDsYd7TUgWQ== But when I retrieve the userPassword content later, I get this value: e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0= What has openldap done to it? What do I have to do with the cleartext password to get the same value? Kind regards Marten

4 4

ldap proxy resolution by rewriting in meta-backend
by yamina 09 Dec '09

09 Dec '09

Hello, I want to use the "LDAP Proxy resolution" mode related in the "slapd-meta" man but I don't manage to make it works. I wonder if it is implemented yet because I saw a message dated Fri, 16 Jan 2004 17:09:10 +0100 in which the same problem is not solved. My slapd.conf looks like: uri "ldap://127.0.0.1:390/ou=a,ou=mysociety,c=fr" ... rewriteRule '(.*-b\))' 'ldap://127.0.0.1:391/ou=b,ou=mysociety <ldap://ldap1.my.org/%0%27>,c=fr' <ldap://ldap1.my.org/%0%27> ':@' rewriteRule '(.*-c\))' 'ldap:// <ldap://ldap2.my.org/%0%27>127.0.0.1:392/ou=c,ou=mysociety,c=fr' <ldap://ldap1.my.org/%0%27> ':@' in order that when I search for example for uid=toto-b, it would do it through openldap running on port 391, if I search for uid=titi-c, it would do it through openldap running on port 392 and if I search anything not ending by "-b" or "-c", il would do it through openldap running on port 390(target). But the search nevers goes to the openldap running on ports 391 and 392. Any help would be mostly appreciated. Kind regards

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2009