openldap-software September 2009

openldap-software@openldap.org

50 participants
51 discussions

dynlist overlay and ldapsearch
by ben thielsen 03 Feb '10

03 Feb '10

hi- i'm using the dynlist overlay and am not getting back the search results i expected. i'm using 2.4.11 courtesy of debian. here is my overlay config: >ldapsearch -xWLLLD 'cn=admin,cn=config' -b 'cn=config' "(objectclass=olcdynamiclist)" dn: olcOverlay={5}dynlist,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {5}dynlist olcDLattrSet: {0}groupOfNames memberURL member olcDLattrSet: {1}mailGroup labeledURI here is the entry in question: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' -s base -b 'cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groundnoise,dc=net' dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net objectClass: mailGroup objectClass: top objectClass: extensibleObject cn: abuse member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail ,dc=groundnoise,dc=net labeledURI: ldap:///ou=domains,ou=mail,dc=groundnoise,dc=net?host?sub?(objectC lass=mailDomain) host: phone.dipswitch.net host: luna.mpls.mn.us host: groundnoise.net host: thielsen.org host: sjva1991.org host: dipswitch.net host: bitrate.net searched for another way: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' host dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net host: phone.dipswitch.net host: luna.mpls.mn.us host: groundnoise.net host: thielsen.org host: sjva1991.org host: dipswitch.net host: bitrate.net however, the results from this search are missing that entry: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=dipswitch.net)' dn dn: host=dipswitch.net,ou=domains,ou=mail,dc=groundnoise,dc=net or another search: ldapsearch -xvWD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(host=*))' host ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (&(objectclass=mailgroup)(host=*)) requesting: host # extended LDIF # # LDAPv3 # base <dc=groundnoise, dc=net> (default) with scope subtree # filter: (&(objectclass=mailgroup)(host=*)) # requesting: host # # search result search: 2 result: 0 Success # numResponses: 1 if i remove the labeledURI attribute and populate with static entries, things appear to work as expected: here's the entry: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net objectClass: mailGroup objectClass: top objectClass: extensibleObject cn: abuse member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail ,dc=groundnoise,dc=net host: foo host: bar host: com host: net host: org and a search: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=foo)' dn dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net what am i doing wrong? thanks -ben

3 3

Re: solaris compile options
by Brett ＠Google 24 Jan '10

24 Jan '10

i am using CFLAGS="-fast -xtarget=ultraT1 -xarch=sparcvis2 -xcode=pic32 -g -xs -O" one set of solaris docs i read implied that -xarch=sparcvis2 was equivalent to -xarch=v9 (which used to trigger 64 bit), but looking at the sun studio 12 compiler options, the more specific versions of -xarch (ie. other than -xarch=v9 or v9a or v9b) may no longer imply that the 64 bit memory model should be used. so maybe i need to add a -m64 to the above ? (compiling on a Sun T2000, with a homegenous build / execute environment, so favouring speed over cpu compatibility is ok) On Thu, Mar 12, 2009 at 1:31 AM, Aaron Richton <richton(a)nbcs.rutgers.edu>wrote: > On Wed, 11 Mar 2009, Brett @Google wrote: > > /data/openldap/backups/ldap_090302.ldif: Value too large for defined data >> type >> > > man lfcompile, and/or switch to 64-bit binaries? >

2 3

problem with security ppolicy
by Evgeniy 08 Oct '09

08 Oct '09

hello OpenLdap 2.4.18. Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On Ldap 2.3 it works normal - user don't auth after this date. # date Tue Sep 22 21:24:44 MSD 2009 ldapsearch -h localhost -x -b 'ou=SrpUsers,dc=company,dc=com' -D "cn=admin,dc=company,dc=com" -w password "cn=_1*" + | grep pwdAccountLockedTime pwdAccountLockedTime: 20090922153148Z but slapauth -v -f /usr/local/etc/openldap/slapd.conf -U _125363 -X u:_125363 bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/accesslog-data: (2). Expect poor performance for suffix "cn=accesslog". bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2). Expect poor performance for suffix "dc=company,dc=com". ID: <_125363> authcDN: <uid=_125363,cn=auth> authzDN: <uid=_125363,cn=auth> authorization OK How I can resolve problem with non-working "pwdAccountLockedTime" ? -- ---______________________________________________--- Evgeniy

3 9

SASL Mech EXTERNAL disabled?
by Dieter Kluenter 29 Sep '09

29 Sep '09

Hi, after updating to openldap-2.4.18, tls enabled sasl external mechanism seems to be disabled, but it is still enabled via ldapi:// :~> ldapwhoami -Y external -ZZ -H ldap://localhost SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) Is this a bug, or has something changed which I haven't noticed? :~> ldapsearch -x -LLL -H ldap://localhost -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 :~> ldapsearch -x -ZZ -LLL -H ldap://localhost -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: LOGIN :~> ldapsearch -x -LLL -H ldapi:/// -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: EXTERNAL -Dieter -- Dieter Klünter | Systemberatung sip: +49.180.1555.7770535 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6

3 5

Write, then read & mirror-mode
by Peter Mogensen 29 Sep '09

29 Sep '09

Hi, I about to set up a mirror-mode server pair with a slapd-ldap proxy to access them through. But it strikes me that the small delay for replication may result in race conditions for applications which use write, then read of entries. Like: The application creates an object through the proxy, which forwards the add request to server-1. Immediately after the application tries to read the object back, but now the proxy have a small chance for redirecting the search request to server-2 ... before replication has been done? Is this correct? Is there anyway to avoid it besides writing directly to server-1 or server-2 and reading back from the same server? /Peter

2 1

LDAP_OPT_X_TLS_NEWCTX
by Michael Ströder 29 Sep '09

29 Sep '09

HI! How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work? I've added support for it in python-ldap to set connection-specific values for LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE. Note: In python-ldap LDAP options can be set globally by invoking ldap.set_option() or connection-specific with LDAPObject.set_option() which both uses ldap_set_option() in libldap or libldap_r. A libldap constant LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO. Python-code for testing looks like this: ---------------------------- snip ---------------------------- # Create LDAPObject instance l = ldap.initialize('ldap://localhost:1390') # Set LDAP protocol version used l.protocol_version=ldap.VERSION3 # Force libldap to create a new SSL context l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON) # Force cert validation l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND) # Set path name of file containing all trusted CA certificates l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) # Now try StartTLS extended operation l.start_tls_s() # Try a bind to provoke failure if protocol version is not supported l.simple_bind_s('','') # Close connection l.unbind_s() ---------------------------- snip ---------------------------- But this does not work. The CA cert file is not taken into account for validating the server cert. Setting it globally with ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works. Ciao, Michael.

1 0

Proxy Authorization
by Jittinan Suwanrueangsri 27 Sep '09

27 Sep '09

Hi All I try configure slapd.conf to support proxy authorization but I can not add authzTo attribute to an entry [root@masterldap ~]# ldapmodify -x -w secret -D "cn=admin,dc=demo,dc=net" dn: uid=matt,ou=Users,dc=demo,dc=net changetype: add authzTo: dn.regex=^uid=[^,]*,ou=Users,dc=demo,dc=net$ adding new entry "uid=matt,ou=Users,dc=demo,dc=net" ldap_add: Invalid syntax (21) additional info: authzTo: value #0 invalid per syntax [root@masterldap ~]# I didn't see an authzTo attribute in any openldap schema .How can I fix an error?

2 1

Search fails after adding index
by Laurens Blankers 27 Sep '09

27 Sep '09

Hi, I am trying to index searching on uid. However as soon as I add the following index to slapd.conf: index uid pres,eq,sub stop slapd, run 'su openldap -c slapindex' and start slapd again, searching for any uid returns 0 results. I am using the following search command: ldapsearch -x "(&(objectClass=posixAccount)(uid=laurens))" After removing the index line from slapd.conf and restarting slapd the search returns the desired result again. I set the loglevel to 480, but the log does not contain any entries which indicate a problem. Why does adding indexes result in the search failing? I am running OpenLDAP 2.4.17 on Debian testing with the hdb backend. TIA, Laurens

3 3

syncrepl, updateref, chain overlay and the authzTo attribute
by Edgar Fuß 24 Sep '09

24 Sep '09

Some questions around syncrepl, updateref, the chain overlay and teh authzTo attribute: For performance reasons, I need a LDAP replica on a remote site. I set this up using syncrepl. Now, given some clients' inability to direct updates to an LDAP server different from the one they send queries to, is the following the intended way to deal with this situation (using OpenLDAP as a server, of course) or is there a simpler solution? - set updateref on the syncrepl consumer - use the chain overlay on the syncrepl consumer - set an appropriate authzTo attribute for the replication entity and set autz-policy to to on the syncrepl provider I'm somewhat reluctant to configuring something as powerful as proxy auth in LDAP attributes. Is there a way to configure proxy authorisation solely in slapd.conf? Or at least, to restrict it to entities explicitly enumerated in slapd.conf? As an aside, I couldn't find it documented that authzTo was an operational attribute, so I wasted my time looking for a schema containing that attribute. Did I miss something or is this indeed not documented explicitly?

3 5

Install openldap-2.4.16 is paused when "make test"
by openbsd shen 24 Sep '09

24 Sep '09

I use these command to install openldap 2.4.16: env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --prefix=/usr/local/openldap --enable-ldbm --enable-crypt make depens make When I "make test", it said: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< cd tests; make test make[1]: Entering directory `/tmp/openldap-2.4.16/tests' make[2]: Entering directory `/tmp/openldap-2.4.16/tests' Initiating LDAP tests for BDB... Running ./scripts/all... >>>>> Executing all LDAP tests for bdb >>>>> Starting test000-rootdse ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Using ldapsearch to retrieve the cn=Subschema... Using ldapsearch to retrieve the cn=Monitor... dn: objectClass: top objectClass: OpenLDAProotDSE structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: o=OpenLDAP Project,l=Internet monitorContext: cn=Monitor supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 vendorName: The OpenLDAP Project <http://www.openldap.org/> entryDN: subschemaSubentry: cn=Subschema dn: cn=Subschema objectClass: top objectClass: subentry objectClass: subschema objectClass: extensibleObject cn: Subschema dn: cn=Monitor objectClass: monitorServer cn: Monitor description: This subtree contains monitoring/managing objects. description: This object contains information about this server. description: Most of the information is held in operational attributes, which must be explicitly requested. monitoredInfo: OpenLDAP: slapd 2.4.16 (Sep 24 2009 10:16:54) >>>>> Test succeeded >>>>> ./scripts/test000-rootdse completed OK. >>>>> Starting test001-slapadd ... running defines.sh Running slapadd to build slapd database... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And then, the progress is pausing.... I found that the port 9101 is opening: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< tcp 0 0 127.0.0.1:9011 0.0.0.0:* LISTEN >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> And the progress is running: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< root 24159 0.0 0.4 10964 4148 pts/0 S+ 10:19 0:00 /tmp/openldap-2.4.16/tests/../servers/slapd/slapd -Ta -d 0 -f /tmp/openldap-2.4.16/tests/testrun/slapadd.conf -l ./testdata/test-ordered.ldif >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software September 2009