openldap-software April 2010

openldap-software@openldap.org

47 participants
48 discussions

back-ldap and CLOSE_WAIT
by Hugo Monteiro 14 Apr '10

14 Apr '10

Hello list, I have an ldap server acting as proxy, through back-ldap, to another ldap server which holds the data. These servers are in distinct networks and connections are all routed through a firewall. Both proxy and backend servers are running openldap version 2.4.17 (from debian testing/sid). Everything is working fine except that from time to time the proxy server has trouble responding requests. These anomalies happen not very often and for very short periods of time, usually from a couple of seconds to ten seconds. Although things keep working, it's rather annoying for the end user to have its interaction with a system delayed or denied, even if for such short periods. Both system loads, from the proxy and the backend server, appear to be fine and i have no reason to believe that it's a matter of system resources shortness. I can observe though a rather large number of connections (usually from 1k to 2k), from the proxy server to the backend server, in CLOSE_WAIT state. Both servers have set an idletimeout value of 30 seconds and i was to expect that the unused connections would seize to exist after that period of time. Basically i want to know if this number of connections is normal, taking in consideration that most queries and performed anonymously and i'm quite positive that there aren't more than a couple hundred of authenticated binds simultaneously. What steps can i take to reduce this behavior? Thank you all in advance, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

1 0

Slave connecting to maser always stay connected?
by Mathew Rowley 13 Apr '10

13 Apr '10

I have a setup with 2 masters (nway multimaster) and 4 slaves each having syncrepl set up to connect to the 2 masters. The question I have, with the following configuration (on the slaves) should they always be connected to the masters? Netstat is showing that the connections are intermittent: type=refreshAndPersist retry="60 +" Netstat on the masters shows that the connections from the slaves will vary sometimes 0, sometimes 4 seems to be somewhat random. We are trying to determine if there is something wrong in our network. Thanks for the help. MAT

3 6

Re:ACLs - allowing a user to add a new attribute
by Sergiy Stepanenko 13 Apr '10

13 Apr '10

I agree about userPassword Something like that can restrict access to it access to attrs=userPassword by anonymous auth by * none -- Sergiy Stepanenko Systems Administrator Information Technology Services University of Saskatchewan ----------------------------------- phone: (306) 966-2762 email:sergiy.stepanenko@usask.ca

1 0

ppolicy_hash_cleartext "recommendation" ?
by Jesús Couto 13 Apr '10

13 Apr '10

Hi all. I've set up an openLDAP directory with the password policy overlay and the ppolicy_hash_cleartext option to ensure cleartext passwords get hashed (as my client request). But the slapo-ppolicy man page clearly states: "It is recommended that when this option is used that compare, search, and read access be denied to all directory users." Its this warning about the userPassword attribute only? That is, more or less, the standard configuration, not even the user can read his password, only write. Or this warning applies to all the directory (bit too much?) Any reason for this warning in particular here? I mean, not letting anybody but the rootdn see the userPassword attribute is a good idea anyway, any particular reason why enabling ppolicy_hash_cleartext makes its extra-good? Best regards, ------------------------------ Jesús Couto F.

1 0

Re: Problems witch dynacl/now=<=...
by masarati＠aero.polimi.it 09 Apr '10

09 Apr '10

> Am 10.04.10 00:03 schrieb "masarati(a)aero.polimi.it" unter > <masarati(a)aero.polimi.it>: > >>> Hi, >>> >>> I am trying to use the >>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c> >>> dynacl >>> module with slapd 2.4.11 (from debian). >>> >>> >>> access to dn.children="dc=dg-i,dc=net" >>> by dynacl/now=>=auditTimestamp none >>> by dynacl/now=<=auditTimestamp none >>> by group.exact="cn=Readers,...." read >> >> Yes. I think you did not understand the logic behind the ACI access >> granting mechanism. When you write >> >> by dynacl/now=>=auditTimestamp none >> >> the "none" indicates how much privilege you allow this rule to give. >> Then, if the rule matches, the privilege is given, otherwise it is not. >> This was designed because ACIs were much more granular that the "now" >> dynacl. Think of this dynacl as something that gives a boolean >> (match/nomatch). If true, the access level will be granted, otherwise >> denied. So, if you have an attribute "validityStarts" and another >> "validityEnds", and you want to allow "read" access to entries that are >> in >> between the validity interval, you'd need to do >> >> access to <what> >> by dynacl/now=">=validityStarts" <level> break >> >> access to <what> >> by dynacl/now="<=validityEnds" <level> > > What I am trying to do is I want to deny access to for Users who either > are > noty yet valid or are expired. > > access to <what> > by dynacl/now="<=validityStarts" none > by dynacl/now=">=validityEnds" none > > > Would this deny Users that are not valid or expired ? If it were fine, it would work as expected. Do you see any resemblance between this and what I wrote above? Personally, I don't. By setting <level> to "none" you're telling dynacl to ignore those rules (line 1772 of slapd/acl.c). That's why now_dynacl_mask() is not even invoked. p.

1 0

Problems witch dynacl/now=<=...
by Manon Goo 09 Apr '10

09 Apr '10

Hi, I am trying to use the <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c> dynacl module with slapd 2.4.11 (from debian). The module seams to initialize correctly but the "now_dynacl_mask" function is never called. my testing ACL looks like: access to dn.children="dc=dg-i,dc=net" by dynacl/now=>=auditTimestamp none by dynacl/now=<=auditTimestamp none by group.exact="cn=Readers,...." read This should allways fail but it does not. it read access is grants to the object for members of the group. Is the module intended for use with 2.4 ? Thanks Manon Manon Goo Dembach Goo Informatik GmbH & Co KG Untersachsenhausen 33 D-50667 Köln Tel: +49 221 801483 0 Mobil: +49 177 8091974 Fax: +49 221 801483 20 Email: manon(a)dg-i.net Emergency: +49 180 555 4992 Amtsgericht Köln HRA 22794, UST ID: DE242 159 527 Geschäftsführer: Manon Goo, Andreas Dembach Haftende Gesellschafterin: Dembach Goo Verwaltungs GmbH

2 1

keywords "modulepath" and "moduleload" ignored?
by Paul Fardy 09 Apr '10

09 Apr '10

Apr 8 11:45:45 authn2 slapd[18074]: /local/etc/openldap/slapd.conf: line 25: keyword <modulepath> ignored Apr 8 11:45:45 authn2 slapd[18074]: /local/etc/openldap/slapd.conf: line 45: keyword <moduleload> ignored Why would these be ignored and why would slapd not give more detail? Thanks, Paul From slapd.conf: > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /local/etc/openldap/schema/core.schema > include /local/etc/openldap/schema/cosine.schema > include /local/etc/openldap/schema/inetorgperson.schema > include /local/etc/openldap/schema/nis.schema > include /local/etc/openldap/schema/samba.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > #loglevel acl config conns filter packets sync > #loglevel config sync > loglevel -1 > > # Load dynamic backend modules: > modulepath /local/pkg/openldap/lib > > # modules available in openldap-servers-overlays RPM package: > > # modules available in openldap-servers-overlays RPM package: > # moduleload accesslog.la > # moduleload auditlog.la > # moduleload denyop.la > # moduleload dyngroup.la > # moduleload dynlist.la > # moduleload lastmod.la > # moduleload pcache.la > # moduleload ppolicy.la > # moduleload refint.la > # moduleload retcode.la > # moduleload rwm.la > # moduleload smbk5pwd.la > # moduleload syncprov.la > # moduleload translucent.la > # moduleload unique.la > # moduleload valsort.la > > moduleload pw-kerberos.so

2 2

Question on back-perl
by Andrea Cirulli 09 Apr '10

09 Apr '10

Just for fun I was testing the perl backend for openldap. I starting setting up an LDAP using the SampleLdap.pm perl library in the source code. My goal is to setup a consumer LDAP in synch with other LDAP (bdb backend) for keeping the mod add del etc. using the syncrepl mechanism. I want to wrap every modification in the Master LDAP and triggering some perl script. I'm very new to this approach and the first problem I'm facing is how to keep the last db state after a slapd crash or shutdown. Using SamplLdap.pm init it's just a subroutine returning 0, so after the first sync if I shutdown the slapd next time I will need a full resync. Do you know some other clever examples? I mean keeping the state of the LDAP and triggering, for example recording on files, the modifications on LDAP. I tried to add in the subroutine some operation on FILES (using standard open FILE....;print FILE "operation"; close (FILE)) it seems do not work. Many thanks to all! -- Andrea Cirulli

3 3

Bind using a user other than organizationalRole user
by Marcelo de Moraes Serpa 07 Apr '10

07 Apr '10

Hello list, I have a local OpenLDAP server with a couple of users. I'm using it for development purposes, here's the ldif: #Top level - the organization dn: dc=site, dc=com dc: site description: OneLogin LLC objectClass: dcObject objectClass: organization o: OneLogin LLC #Top level - manager dn: cn=Manager, dc=site, dc=com objectClass: organizationalRole cn: Manager #Second level - organizational units dn: ou=people, dc=site, dc=com ou: people description: All people in the organization objectClass: organizationalunit dn: ou=groups, dc=site, dc=com ou: groups description: All groups in the organization objectClass: organizationalunit #Third level - people dn: uid=celoserpa, ou=people, dc=site, dc=com objectclass: pilotPerson objectclass: uidObject uid: celoserpa cn: Marcelo de Moraes Serpa sn: de Moraes Serpa userPassword: secret_12345 mail: marcelo(a)site.com So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the 12345678 password (the local server password, setup on slapd.conf). However, I would like to bind with any user in under the people OU. In this case, I'd like to bind with: dn: uid=celoserpa, ou=people, dc=site, dc=com userPassword: secret_12345 But I'm getting a (49) - Invalid Credentials error everytime. I have tried through CLI tools (such as ldapadd, ldapwhoami, etc) and also ruby/ldap. The bind with these credentials fails with a invalid credentials error. I was suspecting that maybe OpenLDAP doesn't compare against userPassword? Or maybe some ACL configuration I am missing that is somehow affecting the read access to userPassword for the specific DN. I'm really lost here, any suggestion appreciated! Cheers, Marcelo.

6 7

Replication problem: How to sync?
by Torsten Schlabach (Tascel eG) 07 Apr '10

07 Apr '10

Hi! I have two replicas of my DIT, which unfortunately got out of sync somehow. So I can spot a particular object where one attribute has a different value on one replica than it has on the other one. What would I do to find out how that could have happened? What would I do to fix this? (Other than manually deciding which data is the right one and overwrite the other; I guess this may not even fix it for the next update.) Regards, Torsten

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2010