openldap-software

openldap-software@openldap.org

2719 discussions

slapd stopping with no error message
by Douglas B. Jones 15 Mar '07

15 Mar '07

About three times in the last several days, ldap-2.3.33 (RHEL4) has just stopped. No core or error messages in the log files. The last entry in the log file is just a search entry, with nothing common in the search from 'crash' to 'crash'. I have even tried the searches and they worked fine. I restart it notes an unclean shutdown detected and attempts recovery and appears to do so. My question is what is the proper way to debug this. If I do -d, it will not fork, but since it fails at random times I probably will not be there to see the output. Is this the best way to try to see what is happening? If so, what is the recommended debug level? It was built with: ./configure \ --prefix=/usr/local/openldap-2.3.33 \ --includedir=/usr/local/lib/BerkleyDB.4.5.20.NC/include \ --enable-crypt \ --enable-cleartext \ --enable-debug \ --enable-meta=yes \ --enable-monitor=yes \ --enable-relay=yes \ --enable-ldap=yes \ --enable-rewrite=yes \ --enable-overlays=yes \ -exec-prefix=/usr/local/openldap-2.3.33 I see that there is 2.3.34 out and that it can use BDB 4.5. Is the best course of action to upgrade? The 2.3.27 version we have been running has not had a problem like this. The 2.3.27 runs on port 900, the 2.3.33 runs on port 389. Thanks for any help!

5 22

ldap_sasl_bind_s and overriding .ldaprc
by Wyatt Neal 15 Mar '07

15 Mar '07

i'm working with sasl binding to my ldap server. is there some way i can override where the sasl "EXTERNAL" method is looking for the TLS_CERT and TLS_KEY directives? i'm basing this on a per-machine basis and serveral services will be using the library so it doesn't make sense to have each service run as a seperate user and different ldap certs on the machine. thanks, wyatt

1 0

Problem on MAKE.
by Duarte Lázaro 15 Mar '07

15 Mar '07

Hi all, I having a problem on "make" openldap. /configure --prefix=/usr/local/openldap --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --enable-bdb on make : Entering subdirectory libldap make[2]: Entering directory `/usr/local/pkgs/openldap-2.3.34/libraries/libldap' /bin/sh ../..//libtool --mode=link cc -static -g -O2 -L/usr/local/BerkeleyDB.4.5/lib -o apitest apitest.o libldap.la ../../libraries/liblber/liblber.la ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv cc -g -O2 -o apitest apitest.o -L/usr/local/BerkeleyDB.4.5/lib ./.libs/libldap.a /usr/local/pkgs/openldap-2.3.34/libraries/liblber/.libs/liblber.a ../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv ./.libs/libldap.a(os-ip.o): In function `ldap_pvt_is_socket_ready': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/os-ip.c:205: warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/local/pkgs/openldap-2.3.34/libraries/libldap/os-ip.c:205: warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./.libs/libldap.a(tls.o): In function `sb_tls_bio_write': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:703: undefined reference to `BIO_clear_flags' /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:707: undefined reference to `BIO_set_flags' ./.libs/libldap.a(tls.o): In function `sb_tls_bio_read': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:676: undefined reference to `BIO_clear_flags' /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:680: undefined reference to `BIO_set_flags' ./.libs/libldap.a(tls.o): In function `ldap_pvt_tls_init_def_ctx': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:374: undefined reference to `SSL_CTX_set_info_callback' collect2: ld returned 1 exit status make[2]: *** [apitest] Error 1 make[2]: Leaving directory `/usr/local/pkgs/openldap-2.3.34/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/usr/local/pkgs/openldap-2.3.34/libraries' make: *** [all-common] Error 1 any ideias, if someone needs more info about this problem, just ask for data. Thanks, Duarte Lázaro

1 0

LDAP proxy cache configuration
by Amos Castelli 15 Mar '07

15 Mar '07

Hi everybody, I have setup a ldap proxy cache (2.3.34), but somehow I cannot write into the proxy database. When I first search into the directory, I get the following in the log file: slapd[450]: QUERY NOT ANSWERABLE slapd[450]: QUERY CACHEABLE This tells me that at least the proxyTemplate is set up correctly, then I run the second time the search command, and I get: slapd[518]: QUERY ANSWERABLE I suppose ldap found in the cache the search output, but I get no result. After searching a little bit, I also found this messages, after the first search: ==> bdb_add: uid=dummy,ou=People,dc=cscs,dc=com bdb_add: entry failed op attrs add: no structural object class provided (65) send_ldap_result: conn=2 op=1 p=3 send_ldap_result: err=65 matched="" text="no structural object class provided" ENTRY ADDED/MERGED, CACHED ENTRIES=0 Somehow I cannot write into the directory.. this is my slapd.conf file: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args loglevel -1 threads 8 idletimeout 240 lastmod off database ldap suffix "ou=people,dc=cscs,dc=com" rootdn "cn=ldapadm,dc=cscs,dc=com" uri ldap://ldap2.cscs.com/ou=people%2cdc=cscs%2cdc=com overlay pcache proxyCache bdb 100000 2 1000 60 proxyAttrset 0 uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass proxyAttrset 1 cn userPassword memberUid uniqueMember gidNumber proxyTemplate (&(objectClass=)(uid=)(description=)) 0 300 proxyTemplate (&(objectClass=)(uidNumber=)(description=)) 0 300 proxyTemplate (&(objectClass=)(description=)) 0 300 proxyTemplate (&(objectClass=)(cn=)) 1 300 proxyTemplate (&(objectClass=)) 1 300 proxyTemplate (&(objectClass=)(gidNumber=)) 1 300 proxyTemplate (&(objectClass=)(memberUid=)) 1 300 cachesize 50000 directory /usr/local/openldap/var/openldap-data index objectClass eq index uid eq index uidNumber eq index gidNumber eq index memberUid eq index description eq index cn pres,eq,sub Can anybody help me? Thanks in advance, Amos

2 2

SASL authentication with open ldap
by JOYDEEP 14 Mar '07

14 Mar '07

Dear Philip, Greg, Tony, Louis and the list, Thanks for the guidance so far. I have got little success but still away from my target. here I'm describing every thing. 1> I have executed "saslpasswd2 admin" to create the user admin in the sasldb2 2> "sasldblistusers2" shows as below admin(a)linux.kolkatainfoservices.in: userPassword 3> now the command *ldapsearch -H ldaps://* when asks the password I gave the admin password stored in sasldb2. and now it is working. 4> I may be allowed to provide the log here ======================================================= Mar 12 12:26:12 linux slapd[6783]: conn=2 fd=15 ACCEPT from IP=127.0.0.1:36689 (IP=0.0.0.0:636) Mar 12 12:26:12 linux slapd[6783]: conn=2 fd=15 TLS established tls_ssf=256 ssf=256 Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 12 12:26:12 linux slapd[6783]: conn=2 op=1 BIND dn="" method=163 Mar 12 12:26:12 linux slapd[6783]: conn=2 op=1 RESULT tag=97 err=14 text= Mar 12 12:26:12 linux ldapsearch: DIGEST-MD5 client step 2 Mar 12 12:26:14 linux ldapsearch: DIGEST-MD5 client step 2 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND dn="" method=163 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND authcid="admin" authzid="admin" Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND dn="uid=admin,cn=digest-md5,cn=auth" mech=DIGEST-MD5 ssf=128 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 RESULT tag=97 err=0 text= Mar 12 12:26:14 linux ldapsearch: DIGEST-MD5 client step 3 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=3 SRCH base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0 filter="(objectClass=*)" Mar 12 12:26:14 linux slapd[6783]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=7 text= Mar 12 12:26:14 linux slapd[6783]: conn=2 op=4 UNBIND Mar 12 12:26:14 linux slapd[6783]: conn=2 fd=15 closed ============================================================== please note the ["uid=admin,cn=digest-md5,cn=auth" mech=DIGEST-MD5 ssf=128] 5> BUT when I added entry for Manager ( as per root dn) and provide the password of manager it is not working. even it is not working for any other uesrs which I have added in sasldb2. How can I fix the problem ? PS: here is my ldif as attachment dn: dc=kolkatainfoservices,dc=in objectClass: domain dc: kolkatainfoservices structuralObjectClass: domain dn: ou=adrbook-GER,dc=kolkatainfoservices,dc=in ou: adrbook-GER objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=adrbook-IND,dc=kolkatainfoservices,dc=in ou: adrbook-IND objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Users,dc=kolkatainfoservices,dc=in ou: Users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Passwd,dc=kolkatainfoservices,dc=in ou: Passwd objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Groups,dc=kolkatainfoservices,dc=in ou: Groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit

2 4

New superior without new RDN
by Dave Horsfall 14 Mar '07

14 Mar '07

OpenLDAP 2.3.32 How do I move an entry to a new superior without changing the RDN as well? I cannot find any examples of this (at least, none that works). dn: uid=dhtest,dc=coreng,dc=com,dc=au changeType: modDN newRDN: dhtest deleteOldRDN: 1 newSuperior: ou=systems,dc=coreng,dc=com,dc=au - Fails with: ldapmodify: invalid format (line 6) entry: "uid=dhtest,dc=coreng,dc=com,dc=au" Failed to update entry. as does: dn: uid=dhtest,dc=coreng,dc=com,dc=au changeType: modDN newRDN: uid=dhtest deleteOldRDN: 1 newSuperior: ou=systems,dc=coreng,dc=com,dc=au - I already discovered that I need "newRDN" i.e. just "newSuperior" won't cut it. Or must I use "ldapmodrdn", and risk a race condition if making several changes to the same entry? -- Dave Horsfall DTM VK2KFU daveh(a)ci.com.au Ph: +61 2 9552-5509 (d) -5500 (sw) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

8 13

Problem when activation TLSVerifyClient demand
by JOYDEEP 13 Mar '07

13 Mar '07

dear list, I have no problem to execute the command ldapsearch -H ldaps:// -u "uid=anupam" -x here is my TLS part of slapd.conf ---------------------------------------- TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient never ----------------------------------------------------------- Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand] and try to execute the same command * ldapsearch -H ldaps:// -u "uid=anupam" -x * it gives errors like ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Could any one suggest the problem I have here and the solution please ?

2 4

RE: Ghosting Data
by Mark Mcdonald 12 Mar '07

12 Mar '07

Howard Chu <mailto:hyc@symas.com> laid ink upon scroll at Tuesday, March 13, 2007 12:55 PM: > It should, but if you don't have reasonable checkpoints set > it may take > a long time to flush the cache. If the system is actually > shutting down, > it may not wait long enough for slapd to finish. Looks like it's my checkpoint directive. I have: checkpoint 512 60 Something like 'checkpoint 256 5' seems safer, or should I aim lower still? > Note that DB_TXN_NOT_DURABLE should not be used on production servers. > This flag was deleted in BDB 4.3 and later because it is inherently > unsafe. (One of those "only use this if you know what you're doing" > options that too frequently got used by people who shouldn't have...) Sounds right :) Was DB_TXN_NOT_DURABLE just renamed to DB_LOG_INMEMORY in 4.3 or is there more to it? I understand the ideal solution is to log full transaction logs to disk and use db_archive to backup the old logs & related data but we didn't look into this in much detail as it was considered unnecessary. Obviously we're wrong about that but we can recover a failed system using one of 30 odd other identical replicas across the network or failing that rebuild from our authorative data sources relatively quickly so is it worthwhile using only auto-removed txn logs? Thanks Mark

1 0

RE: Ghosting Data
by Mark Mcdonald 12 Mar '07

12 Mar '07

Mark Mcdonald <> laid ink upon scroll at Tuesday, March 13, 2007 9:48 AM: > I'm about to take the offending server down and run slapindex > but I fear the problem is in dn2id.bdb and id2entry.bdb, > which I don't believe slapindex fixes. I believe the problem may be caused by an unclean backend database shutdown... My rationale is that DB_CONFIG uses DB_TXN_NOT_DURABLE (LDAP is not an authorative source for us and we can restore from other sources easily enough) and yet the timestamp of the database files is about 10 minutes lagging behind the time I actually shut the system down, where I would have assumed that a clean shutdown would flush memory to disk. I also got this error running slapindex after a clean shutdown (Ubuntu Edgy, /etc/init.d/slapd stop): root # su -c 'slapindex -c' openldap bdb_db_open: unclean shutdown detected; attempting recovery. => bdb_idl_insert_key: c_get failed: DB_PAGE_NOTFOUND: Requested page not found (-30988) => hdb_tool_entry_reindex: txn_aborted! Accessing a corrupted shared library (80) => bdb_idl_insert_key: c_get failed: DB_PAGE_NOTFOUND: Requested page not found (-30988) => hdb_tool_entry_reindex: txn_aborted! Accessing a corrupted shared library (80) .... etc The stop command from the above initscript is: start-stop-daemon --stop --quiet --oknodo --retry 10 \ --pidfile "$SLAPD_PIDFILE" \ --exec /usr/sbin/slapd 2>&1` Thanks Mark

2 1

Client auth to slapd TLS issues
by Philip Bellino 12 Mar '07

12 Mar '07

Hello, Running openldap -2-3-32 with SLAPD on a linux server. Also running openldap-2-3.32 on a linux client. slapd.conf includes: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercert.pem TLSCertificateKeyFile /usr/local/etc/openldap/newkey.pem TLSVerifyClient never (or allow) Issue1: Here is the debug output from the openldap code if the ldap.conf file has the following in it when I try authentication: TLS_CACERT cacert.pem TLS_CACERTDIR /usr/local/etc/openldap/ Login: ldapuser2 Password: *********ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 140.179.180.135:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 140.179.180.135:389 ldap_connect_timeout: fd: 6 tm: 5 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x100141d0 msgid 1 ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL wait4msg ld 0x100141d0 msgid 1 (infinite timeout) wait4msg continue ld 0x100141d0 msgid 1 all 1 ** ld 0x100141d0 Connections: * host: 140.179.180.135 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 20 09:26:37 2006 ** ld 0x100141d0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x100141d0 Response Queue: Empty ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL ldap_int_select read1msg: ld 0x100141d0 msgid 1 all 1 read1msg: ld 0x100141d0 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x100141d0 0 new referrals read1msg: mark request completed, ld 0x100141d0 msgid 1 request done: ld 0x100141d0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS: could not load verify locations (file:`cacert.pem',dir:`/usr/local/etc/openldap/'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:104 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274 ldap_err2string Now, that pem file "cacert.pem" is in /usr/local/etc/openldap. Can anyone tell me why I get this error? Also I thought that with "TLSVerifyClient never" that the server wouldn't even ask for the client's certificate or if "allow" it would ask but wouldn't care if it was not there or could not be verified. ************************************************************************ ************************************************************************ ***** Issue2: Here is the debug output from the openldap code if the ldap.conf file does not have the "TLS_CACERT cacert.pem" or "TLS_CACERTDIR /usr/local/etc/openldap/" in it when I try authentication: Login: ldapuser2 Password: *********ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 140.179.169.185:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 140.179.180.135:389 ldap_connect_timeout: fd: 6 tm: 5 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x100141d0 msgid 1 ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL wait4msg ld 0x100141d0 msgid 1 (infinite timeout) wait4msg continue ld 0x100141d0 msgid 1 all 1 ** ld 0x100141d0 Connections: * host: 140.179.180.135 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 20 10:05:12 2006 ** ld 0x100141d0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x100141d0 Response Queue: Empty ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL ldap_int_select read1msg: ld 0x100141d0 msgid 1 all 1 read1msg: ld 0x100141d0 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x100141d0 0 new referrals read1msg: mark request completed, ld 0x100141d0 msgid 1 request done: ld 0x100141d0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino(a)mrv.com, issuer: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino(a)mrv.com TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string I guess my question here is similar to the above. If TLSVerifyClient is set to never or allow, I get the above error. Can anyone tell me why I get this error? Any help would be most appreciated. Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino(a)mrv.com ============================

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software