openldap-software March 2009

openldap-software@openldap.org

56 participants
62 discussions

HELP! After Upgrading OpenLDAP 2.4.15 DB 4.6 to DB4.7 LDAP isn't willing to operate: txn_checkpoint interface requires an
by O. Hartmann 12 Mar '09

12 Mar '09

Today I updated several FreeBSD 7.1-STABLE servers and so I did on one of our OpenLDAP servers. The server was runnig OpenLDAP 2.4.15 with Cyrus SASL2 support and DB backend was DB 4.6 as from the ports. First, I made a backup from the OpenLDAP database via slapcat -l file.ldif. I updated from DB 4.6 o DB 4.7 and rebuilt every port that relied on DB 4.6, deleted DB 4.6 libraries and other files and then rebuilt OpenLDAP 2.4.15. When trying to recover the database via 'slapadd -c -l file.ldif' and/or trying to restart the OpenLDAP server, I get this error message: Starting slapd. @(#) $OpenLDAP: slapd 2.4.15 (Mar 12 2009 13:06:18) $ root@fu-testbett:/usr/ports/net/openldap24-server/work/openldap-2.4.15/servers/slapd bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to initialize mutex: Invalid argument bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to destroy mutex: Invalid argument bdb(dc=geoinf,dc=fu-berlin,dc=de): PANIC: Invalid argument bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to join the environment hdb_db_open: database "dc=geoinf,dc=fu-berlin,dc=de" cannot be opened, err -30974. Restore from backup! bdb(dc=geoinf,dc=fu-berlin,dc=de): txn_checkpoint interface requires an environment configured for the transaction subsystem bdb_db_close: database "dc=geoinf,dc=fu-berlin,dc=de": txn_checkpoint failed: Invalid argument (22). backend_startup_one: bi_db_open failed! (-30974) bdb_db_close: database "dc=geoinf,dc=fu-berlin,dc=de": alock_close failed slapd stopped. So far. At this very moment I feel like a dead man in the water. I searched the web and tried to find out what LDAP is complaining about, but no success so far. Is anybody out here with some hints? Please eMail me, thanks in advance, Oliver

3 5

TLSCipherSuite crashes slapd
by John G. Heim 11 Mar '09

11 Mar '09

I inherited an openldap installation and am trying to set up a copy of the database on a test server so I can experiment with it. I copied the slapd.conf file from the production machine and made the minimal modifications I had to to get it to work. The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was #TLSCipherSuite HIGH:MEDIUM I also tried this (which is supposed to be the default): #TLSCipherSuite ALL:!ADH If I uncomment either of those lines, slapd will not start. What really puzzles me is that the second line is supposed to be the default and even that doesn't work. If I leave them commented out, slapd starts and I can query the database via ldapsearch specifying the -ZZ option or by specifying ldaps. $ ldapsearch -x -ZZ uid=jheim $ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim Both of those searches work. I'm using a cert from cacert.org. But it appears to like the cert because the -ZZ works and ldaps works. I even ran ldapsearch with the -d1 option and saw nothing unusual about the certs. The only unusual line in the log is this: Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1

3 3

solaris slapadd "Value too large for defined data type"
by Brett ＠Google 11 Mar '09

11 Mar '09

Hi All, While loading some data into a 2.4.15 (release) database using slapadd, i get : /usr/local/openldap/sbin/slapadd -c -q -w -f /usr/local/openldap/etc/openldap/slapd.conf -l /data/openldap/backups/ldap_090302.ldif -d 99 /data/openldap/backups/ldap_090302.ldif: Value too large for defined data type Which is odd. The ldif is approx 9G in size, but i would have thought that would not have been entirely unusual ? Compiled under Sun cc, berkeleydb 4.7 with latest (3) patches.. any thoughts would be welcome. Cheers Brett

2 1

OpenLdap - trigger
by Joao Batista Mossmann 11 Mar '09

11 Mar '09

Hi, Using OpenLdap there a way to call a trigger when a query is executed? Best regards, Joao Mossmann

2 1

root-only configuration
by Peter Mogensen 11 Mar '09

11 Mar '09

Hi, With slapd.conf you had to be root on the host to reconfigure slapd. However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd. Is it in anyway possible to set up cn=config, so only root on the host can make changes? /Peter

4 4

Problem with master-slaves synchronisation
by fida aljounaidi 11 Mar '09

11 Mar '09

Hello I have a big problem with syncronisation between some openldap slaves and the openldap Master. In fact, i have a network of openldap slaves (8) and an openldap master who send all the information to the slaves. Actually when i add a new openldap slave, i get the old information from the master but for all the newest one, i dont have synchronisation. i have openldap 2.3.43 installed on the openldap Master openldap 2.3.3 installed on the openldap slaves. DB4.2-util installed on both openldap master and openldap slaves. What can be the problem. I dont have many thing on the logs. Thanks a lot

1 0

JLDAP - unsupported extended operation
by Joao Batista Mossmann 10 Mar '09

10 Mar '09

I have a problem with a program in Java ussing JLDAP. I am trying/ run write a program http://developer.novell.com/documentation/samplecode/jldap_sample/extension… but return only error LDAPException: Protocol Error (2) Protocol Error LDAPException: Server Message: unsupported extended operation LDAPException: Matched DN: Please help me Best regards, Joao Mossmann

4 4

Overlays proxycache and failover
by Sébastien CAMELLINI 10 Mar '09

10 Mar '09

Hie, I have one ldap proxy server and 2 ldap servers in mirror mode with syncrep. My proxy ldap server ask all to one of the two servers in mirror mode. l'm trying to find a way to specifie in the proxy ldap config to ask all to the second server when the first is down. Thank you for your help, Sebastien CAMELLINI

3 2

Re: set ACL specification/syntax
by Andrew Cobaugh 09 Mar '09

09 Mar '09

On Fri, Mar 6, 2009 at 4:10 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > > If you set the cn value on every group they are supposed to be able to write > to, then they'll be able to write to any of those groups. I.e., "this/cn" > is the group entry in question. I'm assuming you want them to be able to > write to any group they have control of. If you don't, then simply remove > the cn=uid value from the group. Perhaps I didn't articulate my point well enough. I want them to be able to *create* these entries on their own, they won't be pre-created. So, I want them to be able to create entries under ou=group but only if they are of the form uid:.+ --andy

2 2

ACL and multiple mandatory conditions
by manu＠netbsd.org 07 Mar '09

07 Mar '09

Hello The goal is to give access to a ressource based on two mandatory conditions. I want user DN to match a rule, and attribute value to match another rule, which depends on the user This yields me two rules. The first one allow a user that has a given ou in ouManager set to modify the authorizedService in this ou. I did not test the second one yet, but the idea is that the user has a serviceManager attribute telling which value of authorizedService he is allowed to set. access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService by set.exact="user/ouManager & this/-1" write stop access to attrs.regex=authorizedService val.regex="(.*)" by set="user/serviceManager & ${v1}" write stop But I need to perform a AND between the two rules. How can that be done? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2009