Shutdown of the OpenLDAP-Software list in favor of the OpenLDAP-Technical list
by OpenLDAP Project
The Project has decided to shutdown the OpenLDAP-Software list in favor of the more broadly chartered OpenLDAP-Technical list. This change is intended to eliminate a significant burden upon the list moderators (OpenLDAP-Software list, unlike the OpenLDAP-Technical list, has long had a narrow charter and strict moderation policy).
On May 29th, all new threads will be rejected by the moderator with a note to take them to the OpenLDAP-technical list. A week will be given for active threads to be concluded (or moved to the openldap-technical list). On June 5th, the list will be shutdown. Archives will remain available.
Subscribers of the OpenLDAP-Software list will NOT automatically be subscribed to the OpenLDAP-Technical list. Each person who wishes to follow the openldap-technical list must subscribe themself to the openldap-technical list.
-- The OpenLDAP Project
13 years
Extra character when using search filter but won't appear in the search result
by Wan Mohd Khairi Wan Mohamed
Hi all,
We have a little bit of a problem here. When we tried to search in openldap
with the following filter:-
(&(uid=user1)(customAttribute=somevalue))
... it returned no results. But when we use a similar filter, with an
asterisk (*) appended for the 2nd attribute:-
(&(uid=user1)(customAttribute=somevalue*))
We got the result just fine. The funny thing is, the result listed
customAttribute value as just 'somevalue'. We were wondering what's the
extra character that's preventing us from getting the result when using the
filter without the asterisk.
Have anyone encountered similar problem before?
Thanks.
Regards,
Wan Mohd Khairi Wan Mohamed
wankhairi [at] nervesis [dot] com [dot] my
http://www.nervesis.com.my
13 years
Need help syncing with syncrepl 2.3
by L.B.
Hi;
I've finally decided to make the move to syncrepl after much delay and
procrastination. I've read the guide and also reviewed several howto's
on the topic... It still isn't running correctly for me because it
doesn't replicate a few new users I've added to the provider. Also I'm
seeing the following issue over and over (every time it tries a sync
on my 10m interval):
#########
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent:
rid 001 be_delete
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
be_search (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_SEARCH_RESULT
#########
My setup is RHEL4 with Buchan's RPMs
(openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple
setup, one provider and one consumer.
Here is my provider config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="cn=Replicator,dc=swa,dc=com" read
by self read
by * none break
limits group="cn=Replicator,dc=swa,dc=com"
size=unlimited
time=unlimited
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
loglevel 256
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-master/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 1 10
syncprov-sessionlog 100
serverid 001
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
######################
Here is my consumer config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
loglevel sync
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-slave/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
syncrepl rid=001
provider=ldap://ldap-agis01.mascorp.com
type=refreshOnly
interval=00:00:10:00
retry="60 10 300 +"
searchbase="dc=swa,dc=com"
filter="(objectClass=*)"
binddn="cn=Replicator,dc=swa,dc=com"
bindmethod=simple
credentials=yadayadayada
schemachecking=off
updateref ldap://ldap-agis01.mascorp.com/
######################
Any help would be much appreciated!
Thanks!!
Rafael
13 years
LDAPS connection failing with a "TLS accept failure error -1"
by Marcelo de Moraes Serpa
Hello all,
I hope someone could help me -- I'm trying for almost one whole day already
and couldn't get LDAP over SSL to work, without success.
The objective is to setup a development box for testing purposes, so, the
simpler the better, however, it must be as simple as needed only.
I've followed this tutorial:
http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-u....
I'm on Mac OSX Snow Leopard, though.
slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14)
//Installed from MacPorts
I have generated a self-signed certificate using this command:
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 3650
I've set the Common Name to "localhost".
The configuration files look like this (non-relevanted parts snipped):
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem
TLSVerifyUser never
ldap.conf
BASE dc=mycompany,dc=com
URI ldaps://localhost/
TLS_REQCERT never
I'm starting slapd with the following command:
sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h
"ldaps:///"
And testing the connection with the following:
ldapsearch -H ldaps://localhost -d255
When running ldapsearch, I get the following as output:
ldap_create
> ldap_url_parse_ext(ldaps://localhost)
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_build_search_req ATTRS:
> supportedSASLMechanisms
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying ::1 636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
> 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q...
> ..9..
> 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
> 8..5............
> 0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03
> ..3..2../.......
> 0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> ................
> 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> ......@.........
> 0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98
> ................
> 0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b
> ..6...k.2.."c..;
> 0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2
> ;=..8...0-..
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=0
>
> TLS: can't connect.
> ldap_perror
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
As you can see, it fails with the "TLS: can't connect" error message. Not
that obvious. I then switch to the terminal that has slapd running on the
fg, and I see the following:
(snip)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
*connection_read(13): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
What I don't understand is why it is failing if I've set both sides to
ignore certificates. What am I doing wrong?
Marcelo.
13 years
LDAP performance slow intermittently
by Khoa Nguyen
My LDAP server (version 2.3.43) performance is quite erratic; for a few
minutes, search operations are lightning fast, and then it slows down to
several seconds for a single search, and then it is fast again, etc.
I am not sure how to troubleshoot/determine the root cause of this
intermittent problem. Any suggestions are appreciated.
Khoa
13 years
slapd read-only slave replica
by DT Piotr Wadas
Hello,
Does it make any sens to enable indexing of any attribute on read-only
slave syncrepl replica? I mean, isn't it just waste of resources, or,
actually, is not a waste a resources at all, since replica is read-only
and does not write anything anyway? This, I think, apply to any version of
openldap.
Regards,
DT
13 years
Syncrepl has deleted over 50%
by Nacho Díaz Asenjo
Hi!
Syncrepl has decided make a cleaner in my consumer this night. In
aprox. 2 hours it has deleted over 50% of my directory ... of course
it's a wrong, but i havent't idea about why.
I have installed Openldap 2.4.19 in my producer (master) and in my
consumer (slave).
My config:
syncrepl rid=001
provider=ldap://xxxxxxx
type=refreshAndPersist
searchbase="o=xxxxxx"
schemachecking=off
attrs="*,+"
retry="30 10 600 20"
binddn="uid=syncrepl,o=xxxxx"
credentials=xxxx
In log file
First ... about 1 hour ..
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_search (0)
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001
uid=600000790,ou=UNIVERSIDAD DE
MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es
May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing 0x293d230
20100520013206.383048Z#000000#000#000000
May 20 03:32:06 ldap03 slapd[29549]: slap_graduate_commit_csn: removing
0x6595bd0 20100520013206.383048Z#000000#000#000000
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_modify
uid=600000790,ou=UNIVERSIDAD DE
MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es (0)
May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing 0x293d230
20100520013206.383048Z#000000#000#000000
May 20 03:32:06 ldap03 slapd[29549]: slap_graduate_commit_csn: removing
0x3c143f0 20100520013206.383048Z#000000#000#000000
May 20 03:32:06 ldap03 slapd[29549]: do_syncrep2:
cookie=rid=001,csn=20100520013206.700191Z#000000#000#000000
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_search (0)
May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001
uid=600000819,ou=UNIVERSIDAD DE
MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es
May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing
0x7f91a1614170 20100520013206.700191Z#000000#000#000000
Later ... deleting
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete
uid=cmromo,ou=Receptores,ou=proyectos_gerencia_2010,ou=Grupos,o=Universidad
Carlos III,c=es (0)
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete uid=cmromo,ou=Receptores,ou=resad.pa,ou=Grupos,o=Universidad
Carlos III,c=es (0)
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete uid=cmromo,ou=Emisores,ou=resad.pa,ou=Grupos,o=Universidad
Carlos III,c=es (0)
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete
uid=fjpsanch,ou=Receptores,ou=sl-audiovisuales,ou=Grupos,o=Universidad
Carlos III,c=es (0)
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete
uid=fjpsanch,ou=Receptores,ou=audiovisuales,ou=Grupos,o=Universidad
Carlos III,c=es (0)
May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete
uid=dsmontero,ou=Receptores,ou=juntaeps,ou=Grupos,o=Universidad Carlos
III,c=es (0)
May 20 03:50:55 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete
uid=benguigui82(a)hotmail.com,ou=Receptores,ou=giaa,ou=Grupos,o=Universidad Carlos
III,c=es (0)
May 20 03:50:55 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001
be_delete uid=benguigui82(a)hotmail.com,ou=Externos,o=Universidad Carlos
III,c=es (0)
Thanks
13 years
cn=config and DB_CONFIG
by DT Piotr Wadas
Hello,
Is it possible with openldap, any version, to tune DB_CONFIG attributes
for selected context via cn=config ?
Regards,
DT
13 years
Re: do_bind: invalid dn
by Joshua Lim
Dan Burkland wrote:
> -----Original Message-----
> From: openldap-software-bounces+dburklan=nmdp.org(a)OpenLDAP.org [mailto:openldap-software-bounces+dburklan=nmdp.org@OpenLDAP.org] On Behalf Of Joshua Lim
> Sent: Monday, May 17, 2010 12:21 PM
> To: openldap-software(a)openldap.org
> Subject: Re: do_bind: invalid dn
>
> Any thoughts? I tried the following, entered the correct password
> 'password' and got:
> ldap_bind: Invalid credentials (49)
>
> ldapsearch -x -D cn=wael,dc=click,dc=com -h localhost -W -b ''
> namingContexts
>
>
> Log shows:
>
> slap_listener_activate(2):
> >>> slap_listener(ldap://JOSHUAPC:389)
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 47 contents:
> op tag 0x60, time 1273506428
> ber_get_next
> conn=0 op=0 do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt (m}) ber:
> >>> dnPrettyNormal: <cn=wael,dc=click,dc=com>
> <<< dnPrettyNormal: <cn=wael,dc=click,dc=com>, <cn=wael,dc=click,dc=com>
> do_bind: version=3 dn="cn=wael,dc=click,dc=com" method=128
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_response: msgid=1 tag=97 err=49
> ber_flush2: 22 bytes to sd 2140
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> ber_get_next
> ber_get_next on fd 10 failed errno=0 (unknown WSA error)
> connection_close: conn=0 sd=10
>
>
> My slapd.conf (i basically used the default, only suffix, rootdn and
> rootpw is changed):
> ********************************
> database bdb
> suffix "dc=click,dc=com"
> rootdn "cn=wael,dc=click,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw password
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory ./data
> dirtyread
> searchstack 20
> # Indices to maintain
> index mail pres,eq
> index objectclass pres
> index default eq,sub
> index sn eq,sub,subinitial
> index telephonenumber
> index cn
> --------------------------------------------------------------------------
>
> I may be wrong but I believe your rootpw value needs to be a hash value. Use slappasswd to generate one and then replace password with it. Restart the service and let me know if you experience the same issue.
>
> Regards,
>
> Dan
>
>
>
Thanks Dan, yes, that was the reason. :)
13 years
OpenLDAP 2.3 Access Lists
by Dan Burkland
Hello all,
I have been trying as of late to secure my OpenLDAP directory and I have seem to run into a wall. I am trying to restrict access to certain attributes for my user entries located in ou=people,dc=example,dc=com so that only my binddn can access them. Here is a list of my current ACLs:
access to dn="cn=binddn,ou=system,ou=services,dc=example,dc=com
attrs=userPassword
by * auth
access to dn.regex="uid=.*,ou=people,dc=example,dc=com" attrs=uid,uidNumber,loginShell
by dn="cn=binddn,ou=system,ou=services,dc=example,dc=com" read
by * none
It seems I can get the rule to match without the "attrs" argument however as soon as I add that to the ACL entry I get denied access to the previously listed attributes for users in ou=people. If it helps any I am using the OpenLDAP-servers 2.3.43 CentOS RPM.
Thanks again,
Dan
13 years