openldap-software July 2009

openldap-software@openldap.org

49 participants
46 discussions

Online config, delta syncrepl and overlay chain
by Christian Roessner 27 Jul '09

27 Jul '09

Hi, I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could successfully setup a delta-sync replication. Now I read about the ability to add the overlay chain on the consumer side to automatically redircet write rquests for the consumer to the provider. I am using an online configuration and I am not able to find answers how to add this overlay. I am using Ubuntu, which has built openldap with module-support. So I have already added the back_ldap.la module. Two questions I can not get answers: 1.) Do I need to add the overlay to the thb-backend or to the frontend? 2.) Could please somebody point me to the corresponting objectClasses that need to be added and the required attributes? The book lists the follwing: overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true I can not find the olcXYZ options. So, I thank you really very much for any help. :-) Christian

3 6

[Openldap 2.4.16] Unable to use DB_CONFIG
by Lepoutre Lionel 26 Jul '09

26 Jul '09

Hello, I am trying to use the DB_CONFIG file as it seems to be the good way to configure my hdb database. My LDAP start without any DB_CONFIG, but when I put a DB_CONFIG file I have an error: "unrecognized name-value pair: dn:" Here is an extract of my files (I have changed my personal information by MY...) - slapd.conf: ------------------------------------ database hdb suffix "MY_LDAP_SUFFIX" rootdn "MY_ROOT_DN" rootpw MY_ROOT_PASS directory /opt/local/openldap/var/openldap-data - DB_CONFIG: ----------------------------------- # global configuration settings dn: cn=config objectClass: olcGlobal cn: config # schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=core,cn=schema,cn=config objectClass: olcSchemaConfig cn: core #backend definitions dn: olcBackend=hdb,cn=config objectClass: olcBackendConfig olcBackend: hdb # database definitions dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig olcDatabase: hdb olcSuffix: MY_LDAP_SUFFIX .... It seems to be because of the first line of my DB_CONFIG file but I have copied it from the documentation ( http://www.openldap.org/doc/admin24/slapdconf2.html). Did I miss something? Is it not the good file for such configuration? Any help is welcome and sorry if it is a stupid question. Lionel

2 2

Re: tls init def ctx failed: -1 with my cacert signed certs
by Jelle de Jong 25 Jul '09

25 Jul '09

Brian A. Seklecki wrote: > On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote: >> Hello everybody, >> >> This is my first post to this list so thank you for making and >> supporting openldap and be gentle on me :) >> >> I have a server that has cacert.org signed certificats, I use them for >> apache > > Does: > /usr/share/ca-certificates/cacert.org/root.crt > > Have an entire concatenated CA Chain? Are there intermediate certs? > > try: > > $ openssl x509 -text -in /usr/share/ca-certificates/cacert.org/root.crt > > > ~BAS > > >> https, postfix and dovecot. Now I am trying to use them to get a >> secure only access to openldap. I am still a bit new to openldap but I >> get this output: >> >> http://debian.pastebin.com/m449836db >> >> What is going on? >> Hi BAS, thank you for helping, I gathered some more information I hope it can help to see what is going on, I can't make anything from the debug output of the openldap server http://debian.pastebin.com/m56aaee1e Thanks in advance, Jelle

5 7

LDAP and SASL problem
by Gildas Bayard 24 Jul '09

24 Jul '09

Hello, I'm setting up a new ldap server on ubuntu server 8.04.3 LTS. man slapd.conf encourages me into using SASL auth for rootdn instead of setting the rootpw parameter in slapd.conf. So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me admin@coruscant: userPassword which is what is expected. But then I see that the password there is in plain text so I don't really get the advantage of using SASL then. So I decide to use saslauthd instead (which in turn will use pam by default). My problem is that I could not find how to tell openldap to use saslauthd instead of sasldb. I tried to add a /usr/lib/sasl2/slapd.conf file with this inside (world readable): pwcheck_method: saslauthd But it seems that this file is not read. I see that ubuntu created a /etc/ldap/sasl2 directory for me but how could I know if sasl is looking in it? How does sasl know it has to look for a slapd.conf file and not openldap.conf or whatever.conf? Could someone shed some light on this subject for me? Cheers, Gildas

3 3

tls init def ctx failed: -1 with my cacert signed certs
by Jelle de Jong 24 Jul '09

24 Jul '09

Hello everybody, This is my first post to this list so thank you for making and supporting openldap and be gentle on me :) I have a server that has cacert.org signed certificats, I use them for apache https, postfix and dovecot. Now I am trying to use them to get a secure only access to openldap. I am still a bit new to openldap but I get this output: http://debian.pastebin.com/m449836db What is going on? Thanks in advance, Jelle de Jong

2 1

Unique overlay usage with filter
by Kyle Blaney 23 Jul '09

23 Jul '09

I'm using the unique overlay in OpenLDAP 2.4.16 and finding it too easy to violate the uniqueness constraints I have defined. For example, if I have the following in my slapd.conf (taken from slapo-unique man page): overlay unique unique_uri ldap:///?cn?sub?(sn=e*) I can violate the uniqueness constraints as follows: 1. Add an entry with cn=a and sn=e. 2. Add a second entry with cn=a and sn=f. 3. Modify the sn of the second entry so that sn=e. The attribute modification succeeds but causes a violation of the uniqueness constraints. Is there any way to configure OpenLDAP so that the attribute modification fails due to a constraint violation? Kyle Blaney

3 6

OpenLDAP 2.4.16: can not add multiple 'member' attributes to object groupOfNames
by O. Hartmann 23 Jul '09

23 Jul '09

Hello, I try to add multiple member attributes to an object of type groupOfNames and I fail. The same is for objectClass groupOfUniqueNames. Whenever I try to add the multi-attribute, I receive an error like 'info: member: value #1 invalid per syntax, dec: invalid syntax'. I can add exactly one attribute of type 'member' for this object. Well, I'm confused, since this worked in older OpenLDAP versions (I'm now using 2.4.16). The client(s) I try to add attributes are 'ldapadd' with a regular LDIF file (file works well if only ONE member-attribute is specified), LUMA and LAM. All have their described problems. I guess there is a knob I've overseen or I do something conceptionally wrong with OpenLDAP 2.4. Can you help? Regards, Oliver P.S. Server is OpenLDAP 2.4.16 on FreeBSD 7.2 and 8.0, for information.

4 6

Re: performance issue behind a a load balancer 2.3.32
by Tom Ryan 22 Jul '09

22 Jul '09

I notice that you are talking about only one F5? How do you have your secondary F5 configured?? Perhaps the issue is in that? Granted, I realize this doesn't contribute to the conversation, but it does raise a point. Just saying... ----- Original Message ----- From: openldap-software-bounces+tomryan=camlaw.rutgers.edu(a)openldap.org <openldap-software-bounces+tomryan=camlaw.rutgers.edu(a)openldap.org> To: John Madden <jmadden(a)ivytech.edu> Cc: openldap-software(a)openldap.org <openldap-software(a)openldap.org> Sent: Tue Jul 21 22:03:52 2009 Subject: Re: performance issue behind a a load balancer 2.3.32 yep, for a production environment, running on only one, is a sure fire way to earn myself a sparkling new pink slip... -- David J. Andruczyk ----- Original Message ---- From: John Madden <jmadden(a)ivytech.edu> To: David J. Andruczyk <djandruczyk(a)yahoo.com> Cc: openldap-software(a)openldap.org Sent: Tuesday, July 21, 2009 4:47:07 PM Subject: Re: performance issue behind a a load balancer 2.3.32 On Tue, 2009-07-21 at 12:39 -0700, David J. Andruczyk wrote: > This is a large production environment (several hundred servers, > thousands of requests per minute) and the F5-LB is used to balance the > load and take care if a node needs to be taken out of service for maint Given, I run a smaller environment, but even on a several-years-old v2.2.x install I regularly see several thousand requests per second -- not minute -- with tons of logging enabled -- handled while hardly touching the CPU. Are you sure you really need multiple machines? John -- John Madden Sr UNIX Systems Engineer Ivy Tech Community College of Indiana jmadden(a)ivytech.edu

2 2

back_relay difficulties
by Jeff Doyle 22 Jul '09

22 Jul '09

1 0

DetlaSync rid
by Peter Clark 21 Jul '09

21 Jul '09

Hello, This is probably easy to but I did not find a straight forward answer posted. When using Delta Syncrepl do you use a unique number for the rid on each consumer in the slapd.conf? ie: 1 master and 3 slaves: slave 1: syncrepl rid=0 blah... slave 2: syncrepl rid=1 blah... slave 3: syncrepl rid=2 blah... Or can I just use syncrepl rid=0 on all 3 slaves? Thank you. Peter

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software July 2009