openldap-software May 2010

openldap-software@openldap.org

32 participants
27 discussions

Shutdown of the OpenLDAP-Software list in favor of the OpenLDAP-Technical list
by OpenLDAP Project 28 May '10

28 May '10

The Project has decided to shutdown the OpenLDAP-Software list in favor of the more broadly chartered OpenLDAP-Technical list. This change is intended to eliminate a significant burden upon the list moderators (OpenLDAP-Software list, unlike the OpenLDAP-Technical list, has long had a narrow charter and strict moderation policy). On May 29th, all new threads will be rejected by the moderator with a note to take them to the OpenLDAP-technical list. A week will be given for active threads to be concluded (or moved to the openldap-technical list). On June 5th, the list will be shutdown. Archives will remain available. Subscribers of the OpenLDAP-Software list will NOT automatically be subscribed to the OpenLDAP-Technical list. Each person who wishes to follow the openldap-technical list must subscribe themself to the openldap-technical list. -- The OpenLDAP Project

1 1

Extra character when using search filter but won't appear in the search result
by Wan Mohd Khairi Wan Mohamed 21 May '10

21 May '10

Hi all, We have a little bit of a problem here. When we tried to search in openldap with the following filter:- (&(uid=user1)(customAttribute=somevalue)) ... it returned no results. But when we use a similar filter, with an asterisk (*) appended for the 2nd attribute:- (&(uid=user1)(customAttribute=somevalue*)) We got the result just fine. The funny thing is, the result listed customAttribute value as just 'somevalue'. We were wondering what's the extra character that's preventing us from getting the result when using the filter without the asterisk. Have anyone encountered similar problem before? Thanks. Regards, Wan Mohd Khairi Wan Mohamed wankhairi [at] nervesis [dot] com [dot] my http://www.nervesis.com.my

3 7

Need help syncing with syncrepl 2.3
by L.B. 20 May '10

20 May '10

Hi; I've finally decided to make the move to syncrepl after much delay and procrastination. I've read the guide and also reviewed several howto's on the topic... It still isn't running correctly for me because it doesn't replicate a few new users I've added to the provider. Also I'm seeing the following issue over and over (every time it tries a sync on my 10m interval): ######### Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent: rid 001 be_delete uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_search (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT ######### My setup is RHEL4 with Buchan's RPMs (openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple setup, one provider and one consumer. Here is my provider config: ###################### include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema access to * by dn.exact="cn=Replicator,dc=swa,dc=com" read by self read by * none break limits group="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break access to attrs=userPassword by self write by * auth pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem loglevel 256 database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA directory /cluster/agis-ldap/ldap-master/var/lib/ldap overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100 serverid 001 cachesize 100000 idlcachesize 100000 checkpoint 256 5 index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq ###################### Here is my consumer config: ###################### include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break access to attrs=userPassword by self write by * auth pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem loglevel sync database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA directory /cluster/agis-ldap/ldap-slave/var/lib/ldap overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout cachesize 100000 idlcachesize 100000 checkpoint 256 5 index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq syncrepl rid=001 provider=ldap://ldap-agis01.mascorp.com type=refreshOnly interval=00:00:10:00 retry="60 10 300 +" searchbase="dc=swa,dc=com" filter="(objectClass=*)" binddn="cn=Replicator,dc=swa,dc=com" bindmethod=simple credentials=yadayadayada schemachecking=off updateref ldap://ldap-agis01.mascorp.com/ ###################### Any help would be much appreciated! Thanks!! Rafael

3 2

LDAPS connection failing with a "TLS accept failure error -1"
by Marcelo de Moraes Serpa 20 May '10

20 May '10

Hello all, I hope someone could help me -- I'm trying for almost one whole day already and couldn't get LDAP over SSL to work, without success. The objective is to setup a development box for testing purposes, so, the simpler the better, however, it must be as simple as needed only. I've followed this tutorial: http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-usi…. I'm on Mac OSX Snow Leopard, though. slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14) //Installed from MacPorts I have generated a self-signed certificate using this command: sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 I've set the Common Name to "localhost". The configuration files look like this (non-relevanted parts snipped): slapd.conf: TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem TLSVerifyUser never ldap.conf BASE dc=mycompany,dc=com URI ldaps://localhost/ TLS_REQCERT never I'm starting slapd with the following command: sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h "ldaps:///" And testing the connection with the following: ldapsearch -H ldaps://localhost -d255 When running ldapsearch, I get the following as output: ldap_create > ldap_url_parse_ext(ldaps://localhost) > ldap_pvt_sasl_getmech > ldap_search > put_filter: "(objectclass=*)" > put_filter: simple > put_simple_filter: "objectclass=*" > ldap_build_search_req ATTRS: > supportedSASLMechanisms > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP localhost:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying ::1 636 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > TLS trace: SSL_connect:before/connect initialization > tls_write: want=124, written=124 > 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q... > ..9.. > 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 > 8..5............ > 0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 > ..3..2../....... > 0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 > ................ > 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 > ......@......... > 0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98 > ................ > 0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b > ..6...k.2.."c..; > 0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2 > ;=..8...0-.. > TLS trace: SSL_connect:SSLv2/v3 write client hello A > tls_read: want=7, got=0 > > TLS: can't connect. > ldap_perror > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > As you can see, it fails with the "TLS: can't connect" error message. Not that obvious. I then switch to the terminal that has slapd running on the fg, and I see the following: (snip) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 *connection_read(13): TLS accept failure error=-1 id=0, closing* connection_closing: readying conn=0 sd=13 for close connection_close: conn=0 sd=13 What I don't understand is why it is failing if I've set both sides to ignore certificates. What am I doing wrong? Marcelo.

2 2

LDAP performance slow intermittently
by Khoa Nguyen 20 May '10

20 May '10

My LDAP server (version 2.3.43) performance is quite erratic; for a few minutes, search operations are lightning fast, and then it slows down to several seconds for a single search, and then it is fast again, etc. I am not sure how to troubleshoot/determine the root cause of this intermittent problem. Any suggestions are appreciated. Khoa

4 3

slapd read-only slave replica
by DT Piotr Wadas 20 May '10

20 May '10

Hello, Does it make any sens to enable indexing of any attribute on read-only slave syncrepl replica? I mean, isn't it just waste of resources, or, actually, is not a waste a resources at all, since replica is read-only and does not write anything anyway? This, I think, apply to any version of openldap. Regards, DT

4 3

Syncrepl has deleted over 50%
by Nacho Díaz Asenjo 20 May '10

20 May '10

Hi! Syncrepl has decided make a cleaner in my consumer this night. In aprox. 2 hours it has deleted over 50% of my directory ... of course it's a wrong, but i havent't idea about why. I have installed Openldap 2.4.19 in my producer (master) and in my consumer (slave). My config: syncrepl rid=001 provider=ldap://xxxxxxx type=refreshAndPersist searchbase="o=xxxxxx" schemachecking=off attrs="*,+" retry="30 10 600 20" binddn="uid=syncrepl,o=xxxxx" credentials=xxxx In log file First ... about 1 hour .. May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_search (0) May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 uid=600000790,ou=UNIVERSIDAD DE MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing 0x293d230 20100520013206.383048Z#000000#000#000000 May 20 03:32:06 ldap03 slapd[29549]: slap_graduate_commit_csn: removing 0x6595bd0 20100520013206.383048Z#000000#000#000000 May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_modify uid=600000790,ou=UNIVERSIDAD DE MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es (0) May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing 0x293d230 20100520013206.383048Z#000000#000#000000 May 20 03:32:06 ldap03 slapd[29549]: slap_graduate_commit_csn: removing 0x3c143f0 20100520013206.383048Z#000000#000#000000 May 20 03:32:06 ldap03 slapd[29549]: do_syncrep2: cookie=rid=001,csn=20100520013206.700191Z#000000#000#000000 May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 be_search (0) May 20 03:32:06 ldap03 slapd[29549]: syncrepl_entry: rid=001 uid=600000819,ou=UNIVERSIDAD DE MAYORES,ou=Alumnos,ou=Gente,o=Universidad Carlos III,c=es May 20 03:32:06 ldap03 slapd[29549]: slap_queue_csn: queing 0x7f91a1614170 20100520013206.700191Z#000000#000#000000 Later ... deleting May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=cmromo,ou=Receptores,ou=proyectos_gerencia_2010,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=cmromo,ou=Receptores,ou=resad.pa,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=cmromo,ou=Emisores,ou=resad.pa,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=fjpsanch,ou=Receptores,ou=sl-audiovisuales,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=fjpsanch,ou=Receptores,ou=audiovisuales,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:54 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=dsmontero,ou=Receptores,ou=juntaeps,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:55 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=benguigui82(a)hotmail.com,ou=Receptores,ou=giaa,ou=Grupos,o=Universidad Carlos III,c=es (0) May 20 03:50:55 ldap03 slapd[29549]: syncrepl_del_nonpresent: rid=001 be_delete uid=benguigui82(a)hotmail.com,ou=Externos,o=Universidad Carlos III,c=es (0) Thanks

1 0

cn=config and DB_CONFIG
by DT Piotr Wadas 20 May '10

20 May '10

Hello, Is it possible with openldap, any version, to tune DB_CONFIG attributes for selected context via cn=config ? Regards, DT

5 5

Re: do_bind: invalid dn
by Joshua Lim 19 May '10

19 May '10

Dan Burkland wrote: > -----Original Message----- > From: openldap-software-bounces+dburklan=nmdp.org(a)OpenLDAP.org [mailto:openldap-software-bounces+dburklan=nmdp.org@OpenLDAP.org] On Behalf Of Joshua Lim > Sent: Monday, May 17, 2010 12:21 PM > To: openldap-software(a)openldap.org > Subject: Re: do_bind: invalid dn > > Any thoughts? I tried the following, entered the correct password > 'password' and got: > ldap_bind: Invalid credentials (49) > > ldapsearch -x -D cn=wael,dc=click,dc=com -h localhost -W -b '' > namingContexts > > > Log shows: > > slap_listener_activate(2): > >>> slap_listener(ldap://JOSHUAPC:389) > connection_get(10): got connid=0 > connection_read(10): checking for input on id=0 > ber_get_next > ber_get_next: tag 0x30 len 47 contents: > op tag 0x60, time 1273506428 > ber_get_next > conn=0 op=0 do_bind > ber_scanf fmt ({imt) ber: > ber_scanf fmt (m}) ber: > >>> dnPrettyNormal: <cn=wael,dc=click,dc=com> > <<< dnPrettyNormal: <cn=wael,dc=click,dc=com>, <cn=wael,dc=click,dc=com> > do_bind: version=3 dn="cn=wael,dc=click,dc=com" method=128 > send_ldap_result: conn=0 op=0 p=3 > send_ldap_response: msgid=1 tag=97 err=49 > ber_flush2: 22 bytes to sd 2140 > connection_get(10): got connid=0 > connection_read(10): checking for input on id=0 > ber_get_next > ber_get_next on fd 10 failed errno=0 (unknown WSA error) > connection_close: conn=0 sd=10 > > > My slapd.conf (i basically used the default, only suffix, rootdn and > rootpw is changed): > ******************************** > database bdb > suffix "dc=click,dc=com" > rootdn "cn=wael,dc=click,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > rootpw password > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory ./data > dirtyread > searchstack 20 > # Indices to maintain > index mail pres,eq > index objectclass pres > index default eq,sub > index sn eq,sub,subinitial > index telephonenumber > index cn > -------------------------------------------------------------------------- > > I may be wrong but I believe your rootpw value needs to be a hash value. Use slappasswd to generate one and then replace password with it. Restart the service and let me know if you experience the same issue. > > Regards, > > Dan > > > Thanks Dan, yes, that was the reason. :)

1 0

OpenLDAP 2.3 Access Lists
by Dan Burkland 18 May '10

18 May '10

Hello all, I have been trying as of late to secure my OpenLDAP directory and I have seem to run into a wall. I am trying to restrict access to certain attributes for my user entries located in ou=people,dc=example,dc=com so that only my binddn can access them. Here is a list of my current ACLs: access to dn="cn=binddn,ou=system,ou=services,dc=example,dc=com attrs=userPassword by * auth access to dn.regex="uid=.*,ou=people,dc=example,dc=com" attrs=uid,uidNumber,loginShell by dn="cn=binddn,ou=system,ou=services,dc=example,dc=com" read by * none It seems I can get the rule to match without the "attrs" argument however as soon as I add that to the ACL entry I get denied access to the previously listed attributes for users in ou=people. If it helps any I am using the OpenLDAP-servers 2.3.43 CentOS RPM. Thanks again, Dan

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software May 2010