openldap-software September 2009

openldap-software@openldap.org

50 participants
51 discussions

set.regex and substring substitution
by Ronie Gilberto Henrich 10 Sep '09

10 Sep '09

Hi, I am trying to grant users access to a ldap object when user/allowedDomain match the Mail object ou. To accomplish that I have to use set.regex and substring substitution, but I was not able to figure out what I am doing wrong. This is the current ACL: access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set="user/allowedDomain & this/ou" write result: ======= "ou=example.com,ou=Mail,o=example,c=BR" = write(=wrscxd) "mail=test(a)example.com,ou=example.com,ou=Mail,o=example,c=BR" = 0 This is the ACL that I am trying to build. It was expecting both results as = write(=wrscxd), but I am getting only = 0. access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & $2" write result: ======= "ou=example.com,ou=Mail,o=example,c=BR" = 0 "mail=test(a)example.com,ou=example.com,ou=Mail,o=example,c=BR" = 0 Any ideas about what I should do for this to work? Thanks! Ronie

1 0

TLS Info?
by Eric Nichols 09 Sep '09

09 Sep '09

I have not been able to figure out how to dump more info on the encryption levels, certificate CN & expiration date etc. Should this be done through the openssl functions? If so, what do I hook them to? -- Thanks, Eric Directory Wizards Inc. www.dirwiz.com

4 5

Strange issue with replication in mirror mode
by Jérémie Grauer 09 Sep '09

09 Sep '09

3 4

ldap_result(), Posix signals and error checking
by John Miller 07 Sep '09

07 Sep '09

Hi all, I have noticed a problem with my program (which is supposed to generate and receive many Posix signals ) and the function ldap_result(). It happened to both my code and those library functions that used it (the synchronous versions of various add/search/modify functions). They all failed randomly with a "Can't contact LDAP server" error. I tracked the issue down to the poll() function in os-ip.c : it's return value is not checked to see if it has been interrupted by a signal. Patching the library ( making the poll function to restart if errno == EINTR after failure ), resolved my problem. Is it a bug or a choice? The patch is trivial, but if that error is not checked by choice that should be documented imho. Cheers, JM

3 3

Using SASL OTP
by Emmanuel Dreyfus 05 Sep '09

05 Sep '09

Hello Anyone has experience using SASL OTP with OpenLDAP? Here is what I understood so far: - OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be stored in sasldb or in LDAP. - If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if the OTP plugin is installed both on the client and the server, then the OTP challenge is presented when requesting the OTP method. That leaves me with two problems: how to set cmusaslsecretOTP in LDAP? - if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I can copy paste it to the LDAP directory, which is not very satisfying. - If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf, it seems I can tell salspasswd2 to write to the directory: ldapdb_uri: ldaps://ldap.example.com I have not fully investigated, but it seems the thing cannot prompt for credentials: DN/password must be stored in salspasswd.conf, which makes multiuser utilization troublesome. - salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources shows that passwd_extop()/slap_sasl_setpass() does the same. That suggests it is possible to have slapd doing the thing, but how does it works? In passwd_extop(), slap_sasl_setpass() will only be called if op-o_bd is NULL. In what situation does it happen? - And my last problem is to generate OTP. setkey(1) does not seems to produce something acceptable by SASL OTP. I have to investigate further. -- Emmanuel Dreyfus manu(a)netbsd.org

3 6

ACL problem in slapd.conf
by Tomasz Chmielewski 04 Sep '09

04 Sep '09

I would like to allow a user to edit everything in a given subtree. For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com. I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access". onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0 conn=5 op=0 RESULT tag=97 err=0 text= conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry My rule in slapd.conf is: access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read I also tried to use: access to dn.subtree="ou=Users,dc=example,dc=com" ... But then I'm not even able to connect. -- Tomasz Chmielewski http://wpkg.org

5 8

Assertion failure in ldapsearch
by Guillaume Rousse 04 Sep '09

04 Sep '09

This server is frozen, and ldapsearch crashes: [root@etoile main]# ldapsearch -x ldapsearch: error.c:272: ldap_parse_result: Assertion `r != ((void *)0)' failed. Abandon This is openldap 2.4.15 client, with this specific configuration: TLS_CACERTDIR /etc/pki/tls/rootcerts TLS_REQCERT demand NETWORK_TIMEOUT 2 TIMEOUT 2 TIMELIMIT 2 On my own host, with 2.4.17 and no configuration, the client just hangs indefinitly. I'm joining the network capture. -- BOFH excuse #229: wrong polarity of neutron flow

4 6

Disk exhausting because of log.0000xxxx files
by Olivier Nicole 03 Sep '09

03 Sep '09

Hi, Because of a sputid script I wrote that was unduly modifying my LDAP directory, I endup exhausting my disk space with Berkeley DB log files of the type log.00000xxxx. My LDAP uses a database of type bdb, I have the option dbconfig set_flags DB_LOG_AUTOREMOVE and thought it would take care of removing the log files. It seems not so I must be missing something. (As for back-up safety, I have a script that does a slapcat every 2 hours keeping 10 days of back-ups, plus nightly back-up on a back-up server, so removing BDB logs should be quite safe) Any help will be warmly welcome. Best regards, Olivier

3 2

Adding a new user to existing LDAP group
by Subbarao Karanam 03 Sep '09

03 Sep '09

We already have a created LDAP Database with multiple groups and users.Now I want to add a new user and assign him to existing group I have created a newuser.ldif file as follows dn: uid=test,ou=people,dc=crmsldap,dc=agilent changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: test sn: test uid: test userPassword: test uidNumber: 10000 gidNumber: 300 homeDirectory: /home/test dn: cn=admin,ou=groups,dc=crmsldap,dc=agilent changetype: modify memberUid: test When I run the script /opt/symas/bin/ldapmodify -x -D "cn=Manager,dc=crmsldap,dc=agilent" -W -f newuser.ldif it gives an error as follows ldapmodify: modify operation type is missing at line 21, entry "cn=admin,ou=groups,dc=crmsldap,dc=agilent" Thanks Subbarao

3 2

openldap configuration error
by Jittinan Suwanrueangsri 03 Sep '09

03 Sep '09

Hi I have configure openldap 2.4.16 with following option env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod --enable-monitor=mod --enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes --enable-overlays=mod --with-cyrus-sasl --with-tls=openssl --enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes After run make test command there is error as shown below >>>>> Starting test018-syncreplication-persist ... running defines.sh Starting producer slapd on TCP/IP port 9011... Using ldapsearch to check that producer slapd is running... Using ldapadd to create the context prefix entry in the producer... Starting consumer slapd on TCP/IP port 9014... Using ldapsearch to check that consumer slapd is running... Using ldapadd to populate the producer directory... Waiting 7 seconds for syncrepl to receive changes... Stopping the provider, sleeping 10 seconds and restarting it... Using ldapsearch to check that producer slapd is running... Waiting 7 seconds for consumer to reconnect... Using ldapmodify to modify producer directory... Using ldappasswd to change some passwords... Waiting 7 seconds for syncrepl to receive changes... Stopping consumer to test recovery... Modifying more entries on the producer... Restarting consumer... Waiting 7 seconds for syncrepl to receive changes... Try updating the consumer slapd... ldapmodify failed (255)! >>>>> ./scripts/test018-syncreplication-persist failed (exit 255) make[2]: *** [bdb-mod] Error 255 make[2]: Leaving directory `/home/jittinans/openldap-2.4.16/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/jittinans/openldap-2.4.16/tests' make: *** [test] Error 2 but after that I change to not build backend as module env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=yes --enable-hdb=yes --enable-ldap=yes--enable-monitor=yes --enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes --enable-overlays=mod --with-cyrus-sasl --with-tls=openssl --enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes I work correctly.Why?

2 4

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software September 2009