openldap-software February 2010

openldap-software@openldap.org

30 participants
22 discussions

architecture and DIT change strategy
by Guillaume Rousse 31 Mar '10

31 Mar '10

Hello. I'm trying to find the best way to conduct a consequent change in our data model and servers topology, with the fewer service disturbing. Before the reorganisation, we were a single entity, splitted on three different sites. As a consequence, we had a single database for all our users and groups: dc=new,dc=foo,dc=tld |-users | |-site1 | |-site2 | |-site3 |-groups |-site1 |-site2 |-site3 The master server is hosted on one site, and we have slave servers on three sites After the reorganisation, we are three different entities, and I'd like to break the tree in the three different databases, each site hosting a server acting as the master for its own base, a slave for the two others: dc=site1,dc=foo,dc=tld |-users |-groups dc=site2,dc=foo,dc=tld |-users |-groups dc=site3,dc=foo,dc=tld |-users |-groups The change also involves dropping the last part of the original suffix, which is no longer relevant. I'm currently investigating the usage slapo-rwm to provide virtual views of the current database according to the new structure, so as to progressively migrate applications configuration first, then write an automated conversion tool, and finally convert the virtual bases to new ones. But maybe they are better strategies ? -- BOFH excuse #193: Did you pay the new Support Fee?

2 1

SASL /usr/lib/sasl2/App.conf configuration
by Francis Swasey 17 Mar '10

17 Mar '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am attempting to set up OpenLDAP 2.4 on an RHEL5 system. I have applied patches that rename the OpenLDAP binaries to append 2.4 to the name, so it can co-exist with the standard RHEL5 rpms without causing issues. However, one unexpected side effect is that I don't know what it is now using as the name of the conf file in /usr/lib/sasl2. In reading the SASL section of the Admin Guide, I was directed to read the cyrus sasl sysadmin.html which tells me to "Check your application's documentation for specifics". Sadly, I can't find the specifics about how OpenLDAP is setting the SASL configuration file name in OpenLDAP's documentation. Which of the fine documents do I need to read? Thanks, - -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900) -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLe/7IAAoJEK5S4SsZ5NvS6lwP/1dyEWZys18QLCGW8wv23J9I 4YlbPe5Ci3TsxNWZAcUkAOgp1EEhOTqkJ3yboX2xDsS+gymIciJmtNWJrZmUpZLj BGdtMmLR9NTsgngk7Wta+HUeZ6iQcyLdnYRiF6hlXTpXB49TH2a9kgkbYXjLFcFb KWI90By0IZaQFZGC4kcLKLVH0OIvsO2akIH8gJL6q6lVefLHyaL0TCuA1xC7zWvK OHk/v8RhS3m1fuBtWcRnDLIezwI29z6tk2RpuL0rHP87y13UUw0UQIkgv2gzkQuw fxjErrIM2tkmwxeIyi+s4mAek94Y8794qD/xPpHdqHH0+qGkJfwL1FTiWkH4VQZU FbU+SJIzpc4WOL1GpudS+IXGE3XdcGGTgXynDdt3LQMx9xLfBXtadj5AbJnuyfvu BZXoVdcH+Cbr35nimYSGyqI/jfVJuNezMbQYwv/R39myJ0MDuNWNulCppq40tHDU UsTAMDvC2r4PsSNMbmeb7JqC5JP+AUwKtWWEi8otCuo6/UdVl5U8OpqZ9XbxaP69 U2ca8MplczCOzC0WNLajcccrqlT8UNvUzpVJCh3crpx5GTgKElPHUxGxTeutchu3 5EC5QpPZyD7eB5McMUNA2/3CtYq7Uf1cC5xtP1up6l9rw7kh4otxuvXd/b6MrxvA BVKlfNKdwBnKFDNr3OXC =eNRN -----END PGP SIGNATURE-----

2 5

Re: Ambiguous SSL/TLS error messages from slapd
by Brian A. Seklecki (CFI NOC) 19 Feb '10

19 Feb '10

Steve, I agree: This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option() RC Return Code -1 could happen in about a dozen places. I think we need to take a two step approach to fixing this: 1) Long term, implement OpenSSL's err(3) 2) Short term, in servers/slapd/main.c: Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 ); We should change / append to this to clarify: if (rc < 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0); if (rc > 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0); I will submit a patch. ~BAS

4 5

pass through authentication problem
by Geoff Baker 18 Feb '10

18 Feb '10

Hi, I have a Red Hat 5 machine that I have compiled openldap-2.4.19 with the --enable-spasswd option. I have configured saslauth to do its thing as per the instructions on http://www.openldap.org/doc/admin24/security.html#Authentication%20Methods I cannot seem to add the userPassword:: {SASL} user@domain part though. If i try to import a ldif like the following: dc: uid=user,dc=domain changetype: modify replace: userpassword userPassword:: {SASL} user@domain I get an error saying ldapmodify: invalid format (line 4) entry: "" if i change it to be userpassword: {SASL} user@domain - that works but the entry is hashed (is that ok?) Then when i try to do a bind with that user account i get invalid credentials... Can somebody please help me try to work out why openldap doesn't seem to be passing on the request to SASL?

3 2

Upgrade openldap, os and backend - pointers for best performance ?
by Leon de Rooij 13 Feb '10

13 Feb '10

Hi all, I recently decided it was time for some upgrades, so I installed a new OpenLDAP server with the following changes: Old New os: Ubuntu Hardy Server 32bit FreeBSD 8.0-Release-p2 kernel: 32bit 2.6.24-24-server 32bit 8.0-Release-p2 fs: XFS UFS (soft-updates) ldap: 2.3.37 2.4.21 bdb: 4.6.21-6 4.7.25.4 The rest is the same, dual 3.06Ghz P4 Xeon with only 4GB RAM. I'm using hdb as backend and have about 170k entries in the directory. Slapd configuration is the same. Oh and I'm only using syncprov overlay. DB_CONFIG is the same on both machines, only containing this: set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_lk_detect DB_LOCK_EXPIRE On the new server, slapcat is faster, search returning single entry is slower, but search returning ~10k entries is faster (these are all second tries so cached data is used): time ldapsearch filter=(uid=someusername) > /dev/null, returning one entry on localhost old (on linux): real 0m0.006s user 0m0.000s sys 0m0.000s new (on freebsd): real 0m0.033s user 0m0.010s sys 0m0.008s --- time ldapsearch filter=(uid=a*) > /dev/null, returning ~10k entries on localhost old (on linux): real 0m1.728s user 0m0.870s sys 0m0.220s new (on freebsd): real 0m0.611s user 0m0.074s sys 0m0.015s --- time slapcat > /dev/null old (on linux): real 0m26.834s user 0m17.220s sys 0m1.080s new (on freebsd): real 0m9.589s user 0m8.884s sys 0m0.699s --- Now I know that too many variables have changed to point exactly at what's the reason for the speed changes, but does anyone else have experience with these version differences ? I need to be able to do about 100 searches/sec which will probably not be a problem, but I am curious whether someone has some pointers on how I can optimize for example some sysctl's, UFS mount settings, DB_CONFIG or something else on this new setup to get the best performance possible ? Thanks a lot & kind regards, Leon de Rooij leon(a)scarlet-internet.nl PS: Thanks to all the developers of OpenLDAP, I've been using it without any problems for a couple of years already and it rocks very much!

2 1

RE: Failure to delete entry with multi-master replication
by Kyle Blaney 12 Feb '10

12 Feb '10

I can now reliably reproduce this problem in 2.4.21 and 2.4.20 on a multi-master setup that only has five entries: 1. Stop service on server A. 2. Delete one entry on server B. 3. Start service on server A. After step 3, the entry is never deleted from server A. I have changed many aspects of configuration (replication with and without TLS, syncprov-sessionlog enabled and disabled, syncprov-checkpoint enabled and disabled, syncprov-nopresent TRUE and FALSE, syncprov-reloadhint TRUE and FALSE) and the problem still occurs. Is this problem the same one outlined in "test 058 failure" at http://www.openldap.org/lists/openldap-software/201002/msg00031.html? Kyle -----Original Message----- From: openldap-software-bounces+kblaney=avaya.com(a)OpenLDAP.org [mailto:openldap-software-bounces+kblaney=avaya.com@OpenLDAP.org] On Behalf Of Blaney, Kyle AVAYA (BVW:9T16) Sent: February 9, 2010 4:46 PM To: openldap-software(a)openldap.org Subject: Failure to delete entry with multi-master replication I have encountered a situation with multi-master replication in OpenLDAP 2.4.21 where an entry deleted on one server is not deleted from its peer. I'm using Redhat Enterprise Linux 5. Here's what I did: 1. Configure Network Time Protocol with server A as the NTP master and server B as the NTP slave. 2. Configure multi-master replication between server A (server ID=1) and server B (server ID=2). 3. Start OpenLDAP service on servers A and B. 4. Add an entry to server A and ensure it's replicated to server B. 5. Add an entry to server B and ensure it's replicated to server A. 6. Stop OpenLDAP service on server A. 7. Delete an entry on server B. 8. Start OpenLDAP service on server A with sync debugging enabled (-d sync). At this point, I expected that the entry deleted from server B would be deleted from server A. Instead, the entry remained on server A and slapd displayed the following (with the entry's DN X'ed out): slapd starting do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Entry XXXXXX CSN 20100209193028.621799Z#000000#001#000000 older or equal to ctx 20100209193028.621799Z#000000#001#000000 syncprov_search_response: cookie=rid=001,sid=001,csn=20100202210831.101462Z#000000#000#000000;2010 0209193028.621799Z#000000#001#000000;20100209193118.342038Z#000000#002#0 00000 Why wouldn't the entry deleted on server B also deleted from server A? Is the failure to delete the entry related to the "entry CSN older or equal to context CSN" message? Unfortunately, I have been unable to reproduce the failure since I first saw it. All subsequent tests have shown that the entry deleted from server B is deleted from server A when the OpenLDAP service on server A is restarted. Kyle Blaney

2 1

test 058 fail
by Joseph Guerra 12 Feb '10

12 Feb '10

I am consistently failing test 058 (syncrepl-asymmetric) with the errors: second site1 backend not replicated to central master second site1 backend not replicated to central search and occasionally race error found on iteration 'X' out of 10 Entry not removed on central search What can I do to fix this or can it simply be ignored? I am running this on a red hat 3.4 machine.

1 0

ldapsearch using GSSAPI failed to run from other machine ...
by huican ping 11 Feb '10

11 Feb '10

hello All, Finally I had the "openldap-2.2.5 + cyrus-sasl-2.1.23 + krb5-1.6.3" running on my AS5_64 machine. But now I can only do ldapsearch with GSSAPI on the same machine as the slapd and other suite running, if I ran it from other machine, then it failed with (Unknown code krb5 7). Of course, simple auth worked well. This is a dummy question. I just newly contacted with sasl+krb5 with ldap. Can anyone else kindly people tell me how to make ldapsearch working from other machine? E.g, what kind of setup/procedure I should do on the other machine before I can do ldapsearch with gssapi effectively? FYI, on the other machine, I had the same version of "cyrus+krb5+openldap" installed, so I think the "ldapsearch" links to the enough libraries to do sasl. Output when run on the different machine ============================= /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7) Run on the same machine, it seems working. ======================= /tmp_proj/test/cyrus-sasl-2.1.23/sample>kinit lablogin Password for lablogin(a)IC.ACME.COM: /tmp_proj/test/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admina(a)iclab062.ic.acme.com -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started SASL username: lablogin(a)IC.ACME.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <sn=admin,ou=People,o=Acme> with scope sub # filter: (objectclass=*) # requesting: ALL # # admin, People, Acme dn: sn=admin,ou=People,o=Acme objectClass: top objectClass: person objectClass: organizationalPerson userPassword:: e1NTSEF9bGZMNXZNNFR1T1VrSm51eVk3RGJWODJFUUpvYVRNWWY= cn: Administrator sn: admin # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1

2 2

TLS Replication
by anjan.prasad＠wipro.com 10 Feb '10

10 Feb '10

Hi, I am configuring Open LDAP TLS replication on Ubuntu 8.10. the normal replication works fine without any issues. But if I enable the TLS certificates. I get the below error messages. slap_client_connect: URI=ldap://<ldap URL> Warning, ldap_start_tls failed (-1) Feb 10 23:42:03 ldapserver slapd[6884]: slap_client_connect: URI=ldap://<LDAP URL> DN="cn=admin,dc=xxx,dc=xxx,dc=xxx" ldap_sasl_bind_s failed (-1) Require help to solve the above error. Regards, Anjan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

Ambiguous SSL/TLS error messages from slapd
by Steve Polyack 10 Feb '10

10 Feb '10

I've noticed that some of the error messages presented by slapd can be quite ambiguous in nature. For example, if TLSCertificateKeyFile is specified in slapd.conf, yet is not readable by the user slapd runs as, the following error is observed: 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: @(#) $OpenLDAP: slapd 2.3.43 (Feb 5 2010 10:47:47) $ root@host:/usr/obj/usr/ports/net/openldap23-server/work/openldap-2.3.43/servers/slapd 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: main: TLS init def ctx failed: -1 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: slapd stopped. 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: connections_destroy: nothing to destroy. For reference, this is on FreeBSD 7.2-RELEASE, base OpenSSL v0.9.8e. Looking briefly at the code, this error message is returned when ldap_pvt_init_def_ctx() fails. I'm not sure which OpenSSL SSL_* function call fails within this function, however I do notice that the only call made to an OpenSSL library's ERR_* function is if the initial SSL_CTX_new() method fails. Am I looking at this wrong altogether, is it simply a question of my slapd loglevel not being high enough or including TLS errors? It will indeed typically list TLS negotation failures. Thanks

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2010