openldap-software

openldap-software@openldap.org

2719 discussions

Local rewrite and authz-regexp
by Mathieu MILLET 14 Jan '09

14 Jan '09

Hi everyone, In this period, a "Happy new year" is most appropriate, isn't ? I have setup two servers in multimaster replication, with using SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and one for the replicator dn in data context) to authenticate the replication instances with SSL Certificates. I would like to implement a "local" rewrite of incoming requests (mostly BIND and Search operations) so that queries originating with dn like "cn=jdoe,ou=people,dc=local" are transformed in "uid=jdoe,ou=people,dc=local". I have two problems and one question : 1. I can't implement any olcRwmRewrite attribute. Any of the following lines in the olcOverlay={4}rwm.ldif file : olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-rewriteContext "default" olcRwmRewrite: {2}rwm-rewriteRule "cn=(.+),ou=people,dc=local$" "uid=$1,ou=people,dc=local" ":" give the error message (in debug mode) : ------------- [/etc/openldap/slapd.d/:1] unknown command '' olcRwmRewrite: value #0: <olcRwmRewrite> handler exited with 1! config error processing olcOverlay={4}rwm,olcDatabase={2}hdb,cn=config: <olcRwmRewrite> handler exited with 1 send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=80 matched="" text="" slaptest: bad configuration directory! -------------- Those lines were generated by slaptest from a working slapd.conf file 2. Segfault at startup (or when pushing LDIF configuration - maybe at first sync): The segfault point varies from one startup to another, always after a TLS negociation (it is the syncrepl instance with itself) and sometimes the following lines appear: ldap_msgfree [rw] searchDN: "dc=app,dc=eiffage,dc=loc" -> "dc=app,dc=eiffage,dc=loc" => bdb_entry_get: ndn: "(null)" => bdb_entry_get: oc: "(null)", at: "contextCSN" bdb_dn2entry("(null)") Erreur de segmentation Even when the overlay configuration LDIF file is reduced to the following : dn: olcOverlay={4}rwm objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {4}rwm structuralObjectClass: olcRwmConfig If I remove the overlay configuration LDIF file, the server starts working immediately. 3. Where can I find documentation about olcRwmTFSupport and olcRwmNormalizeMapped, that slaptest generated for me ? For documentation, here are the authz_regexp : {0}cn=.*_repl_config,ou=AC-LDAP,o=myorg cn=config {1}cn=.*_replicator,ou=AC-LDAP,o=myorg cn=Replicator,ou=replicators,dc=local and the olcsyncrepl attributes look like this : {0}rid=001 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem {1}rid=002 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem {0}rid=201 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem {1}rid=202 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem Thanks in advance for any answer. Sincerely yours, Mathieu MILLET. -- Mathieu MILLET mailto:ldap@htam.net ----

2 2

syncrepl problem - nothing updated after initial syncronisation
by Carl Johnstone 14 Jan '09

14 Jan '09

Trying to get 2 slapd servers setup for multi-master replication - they will eventually be in different physical locations. Once I've got the 2 servers running OK, I'll be adding in a 3rd location. I've followed the admin guide, using cn=config and have attached a LDIF dump of the config (with schemas removed). When I bring up the second server, with a minimal config. It correctly replicates across cn=config and sets up the main DB. It then correctly copies across all the data in the main DB to bring itself up-to-date with the server that's already setup. However from the point I bring it online it doesn't replicate any further changes to the first server. If I restart the second server the contextCSN is updated, however no other changes are replicated across. Is there anything obviously wrong with my config? Or have I hit a known problem? Carl

3 5

LDAP Question
by Andi Gorhan 14 Jan '09

14 Jan '09

Hello, another LDAP question from my side. If a LDAP DB crashes and I use the db_recover command. What is LDAP doing? Do I need the "checkpoint" paramter in slapd.conf or does LDAP manage the Backup with the Transactionlogs? Is it possible to recover a DB without the checkpoint attribute? Thank You very much, Andi

2 1

Re: syncrepl problem - nothing updated after initial syncronisation
by Carl Johnstone 14 Jan '09

14 Jan '09

Carl Johnstone wrote: > Trying to get 2 slapd servers setup for multi-master replication - > they will eventually be in different physical locations. Once I've > got the 2 servers running OK, I'll be adding in a 3rd location. I've > followed the admin guide, using cn=config and have attached a LDIF > dump of the config (with schemas removed). > > When I bring up the second server, with a minimal config. It correctly > replicates across cn=config and sets up the main DB. It then correctly > copies across all the data in the main DB to bring itself up-to-date > with the server that's already setup. However from the point I bring > it online it doesn't replicate any further changes to the first > server. If I restart the second server the contextCSN is updated, > however no other changes are replicated across. > > Is there anything obviously wrong with my config? Or have I hit a > known problem? Sorry, some more information: It's openldap 2.4.13 with bdb 4.7.25 (all three patches currently available have been applied) Configure options: ./configure --enable-dynamic --enable-crypt --enable-modules=yes --enable-backends=mod --enable-overlays=mod --enable-sql=no --enable-ndb=noAll the test passed after the build, however some experimentation today:./run -b bdb -s rp test050-syncrepl-multimaster # Works fine./run -b bdb -s ro test050-syncrepl-multimaster # test failed - producer and consumer1 databases differCarl

1 0

LDAP Question
by Andi Gorhan 13 Jan '09

13 Jan '09

Hello, I hope you can help me with my new LDAP Question. I configured a Master Master Configuration and in parallel I had a look at ldap Log with Loglevel 8192 (indexing). I started both LDAPs and the following messages occured: ... Jan 13 11:26:24 server1 slapd[23752]: Could not find the attribute entryUUID in the configured ones! Jan 13 11:26:24 server1 slapd[23752]: Could not fill merging data structure for attribute entryUUID! Jan 13 11:26:24 server1 slapd[23752]: Could not fill merging data structure for attribute entryUUID! Jan 13 11:26:24 server1 slapd[23752]: Could not find the attribute entryUUID in the configured ones! Jan 13 11:26:24 server1 slapd[23752]: Could not fill merging data structure for attribute entryUUID! ... What does that mean because this Logs set one CPU Wait IO (wa) to 100% and I do not know way? Hopefully somebody can help me with this. Thank You, Andi

2 1

LDAP Question
by Andi Gorhan 13 Jan '09

13 Jan '09

Hello everybody, My Name is Andi and I come from Germany. I am very new in LDAP and worked with it the last half year. It is very interesting to work with LDAP but I still have some questions and maybe (hopefully) you can help me. Information to my case: My environment is relativ big. I have 2 LDAP Masters and 8 LDAP Slaves. I configured both Masters with the Master-Master Syncreplication. Also all Slaves sync with the Master 1. The second Master is only Backup. I build a really big database (~1.000.000 entrys) to see how LDAP handle this. Now my questions: 1. I want to know how LDAP works innside. If I tell LDAP which attributes to index, what does LDAP do? When does LDAP index the attributes and how much time/performance cost that? What is the LDAP indexing Process? 2. A very strange behaviour occurs after on a given time. The CPU Load increase dramatically and I do not know why. Is it indexing or the Master Master configuration? What else can generate this CPU Problem? 3. The last point is about LDAP Security. The normal backup way is to use slapcat and slapadd. Is it possible to simply copy the whole database for a correct working backup. So if LDAP Master break down I simply copy the backuped database to the LDAP directory and everyting works? I tested it before and at the first time it looks good but If I want to search an entry with some filter rules (e.g. uid=abc) it doesn't bring any entrys although the entry exists. If I do not use filter, it works correctly. What can be the problem here? Hopefully you experts can help me here because I invested so much time in this and I did not find any way to do it. Thank you and have a great day. Andi

2 1

access: regexp vs. ip
by Hallvard B Furuseth 13 Jan '09

13 Jan '09

I'm cleaning up a config from hell... Is there any performance reason to have access by peername.regex="^IP=129\.240\.(170 chars):" instead of 25 clauses of <by peername.ip=...>? -- Hallvard

1 0

Re: smbk5pwd producing undefined symbol: _kadm5_set_keys error on Ubuntu
by David Markey 12 Jan '09

12 Jan '09

do i have to submit a new ITS or can i use my old one? On Mon, Jan 12, 2009 at 9:10 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > Just note that patches submitted to the -software list are not considered > for inclusion to the software, so if this is expected to become part of the > software, make sure it is tied to an ITS report. > > --Quanah > > > --On Monday, January 12, 2009 5:56 PM +0000 David Markey < > admin(a)dmarkey.com> wrote: > > Try This. >> >> --- smbk5pwd.c 2008-10-22 23:42:13.000000000 +0100 >> +++ smbk5pwd.c.orig 2008-10-06 02:00:56.000000000 +0100 >> @@ -372,8 +372,6 @@ >> struct berval *keys; >> int kvno, i; >> Attribute *a; >> - Key *local_keys; >> - size_t local_num_keys; >> >> if ( !SMBK5PWD_DO_KRB5( pi ) ) break; >> >> @@ -402,17 +400,7 @@ >> op->o_log_prefix, e->e_name.bv_val, 0 ); >> } >> >> - /* _kadm5_set_keys is a private function, inline its >> code here */ >> - ret = hdb_generate_key_set_password( >> context, ent.principal, >> - qpw->rs_new.bv_val, &local_keys, &local_num_keys); >> - if (ret != 0) >> - break; >> - >> - hdb_free_keys(context, ent.keys.len, ent.keys.val); >> - ent.keys.val = local_keys; >> - ent.keys.len = local_num_keys; >> - >> - >> + ret = _kadm5_set_keys(kadm_context, &ent, >> qpw->rs_new.bv_val); >> hdb_seal_keys(context, db, &ent); >> krb5_free_principal( context, ent.principal ); >> >> @@ -431,7 +419,7 @@ >> } >> BER_BVZERO( &keys[i] ); >> >> - hdb_free_keys(context, ent.keys.len, ent.keys.val); >> + _kadm5_free_keys(kadm_context, ent.keys.len, >> ent.keys.val); >> >> if ( i != ent.keys.len ) { >> ber_bvarray_free( keys ); >> >> >> >> >> >> >> >> >> On Mon, Jan 12, 2009 at 12:43 AM, Scott Grizzard >> <scott(a)scottgrizzard.com> wrote: >> >> >> >> If you have a patch, that would be great. I just started to dig into it, >> and I haven't looked at Heimdal's libraries until now. >> >> >> - Scott >> >> >> >> >> On Jan 11, 2009, at 2:51 PM, David Markey wrote: >> >> >> >> >> i submitted that bug, do we need a patch or do you want to take over >> scott? >> >> On Sat, Jan 10, 2009 at 11:10 PM, Scott Grizzard >> <scott(a)scottgrizzard.com> wrote: >> >>> Never mind. I found the issue on the mailing lists, now that I know >>> exactly >>> >> > what is causing the problem. >> >>> >>> I'll take a crack at it next weekend - no promises though. >>> >>> - Scott Grizzard >>> >>> On Jan 10, 2009, at 5:23 PM, Scott Grizzard wrote: >>> >>> >> That is for Heimdal 1.2. I am using 1.1. Since I have seen it work >> for >> >>> heimdal 1.0.1, is it correct to assume that the module was written for >>>> 1.0, and that significant changes happened to the API between 1.0 and >>>> 1.1? >>>> >>> >> >> >>> Would a patch for 1.2 fix the issue for Heimdal 1.1? (or... if I was to >>>> take the time to patch it for 1.1, would that patch work for 1.2?) I >>>> am not familiar enough with Heimdal to know. >>>> >>> >> >> >>> - Scott Grizzard >>>> >>>> On Jan 10, 2009, at 5:01 PM, Howard Chu wrote: >>>> >>>> Scott Grizzard wrote: >>>>> >>>>>> >>>>>> I am trying to make the smbk5pwd module manage password syncing with >>>>>> >>>>> >>>> Samba and Kerberos. I am running on Ubuntu Server 8.10 with >> >>> openldap-2.4.11 and heimdal 1.1. >>>>>> >>>>>> I can "make" the smbk5pwd module, but when I run a password change >>>>>> using >>>>>> >>>>> >>>> it, I recieve the following error: >> >>> >>>>> I've messed with this thing for quite a while now, but nothing seems >>>>>> to be working. Any ideas? >>>>>> >>>>> >>>>> >>> This is ITS#5799. A patch was supposedly available, but the >> person >> who >> >>> submitted the bug report never attached the patch to the report. Feel >>>>> free to nudge the submitter, we already have... >>>>> >>>> >>> >> >>> -- >>>>> -- Howard Chu >>>>> CTO, Symas Corp. http://www.symas.com >>>>> Director, Highland Sun http://highlandsun.com/hyc/ >>>>> >>>> >>> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> >>> >>>> >>> >>> >> >> >> >> >> > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

smbk5pwd producing undefined symbol: _kadm5_set_keys error on Ubuntu
by Scott Grizzard 12 Jan '09

12 Jan '09

I am trying to make the smbk5pwd module manage password syncing with Samba and Kerberos. I am running on Ubuntu Server 8.10 with openldap-2.4.11 and heimdal 1.1. I can "make" the smbk5pwd module, but when I run a password change using it, I recieve the following error: |conn=0 op=1 PASSMOD id="uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com" new >>> dnPrettyNormal: <uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com> => ldap_bv2dn(uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com,0) <= ldap_bv2dn(uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com)=0 <<< dnPrettyNormal: <uid=sgrizzard,ou=Users,dc=scottgrizzard,dc=com>, <uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com> bdb_dn2entry("uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com") => hdb_dn2id("dc=scottgrizzard,dc=com") <= hdb_dn2id: got id=0x1 => hdb_dn2id("ou=users,dc=scottgrizzard,dc=com") <= hdb_dn2id: got id=0x4 => hdb_dn2id("uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com") <= hdb_dn2id: got id=0x22 entry_decode: "" <= entry_decode() => bdb_entry_get: ndn: "uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com") => bdb_entry_get: found entry: "uid=sgrizzard,ou=users,dc=scottgrizzard,dc=com" bdb_entry_get: rc=0 slapd: symbol lookup error: /usr/lib/ldap/smbk5pwd.so.0: undefined symbol: _kadm5_set_keys| My Makefile: |# $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/Makefile,v 1.1 2004/04/02 11:06:38 hyc Exp $ # Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted only as authorized by the OpenLDAP # Public License. # # A copy of this license is available in the file LICENSE in the # top-level directory of the distribution or, alternatively, at # <http://www.OpenLDAP.org/license.html>. LIBTOOL=../../../libtool #LIBTOOL=/usr/bin/libtool OPT=-g -O2 CC=gcc # Omit DO_KRB5 or DO_SAMBA if you don't want to support it. DEFS=-DDO_KRB5 -DDO_SAMBA #HEIMDAL_INC=-I/usr/heimdal/include HEIMDAL_INC=-I/usr/include SSL_INC= LDAP_INC=-I../../../include -I../../../servers/slapd INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) #HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv HEIMDAL_LIB=-L/usr/lib -lkrb5 -lkadm5srv SSL_LIB=-lcrypto LDAP_LIB=-lldap_r -llber LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) all: smbk5pwd.la smbk5pwd.lo: smbk5pwd.c $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $? smbk5pwd.la: smbk5pwd.lo $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ -rpath /usr/lib/ldap -module -o $@ $? $(LIBS)| I've messed with this thing for quite a while now, but nothing seems to be working. Any ideas? - Scott Grizzard

4 9

web apps and client certificate authentication
by manu＠netbsd.org 11 Jan '09

11 Jan '09

Hello I am not sure this is the right place for that question, but I cannot figure a better one. Please point me to the right place if there is a better one than here. I know how to use x509 certificate to authenticate a client against OpenLDAP. It works great with ldap{search|add|modify|delete|whatever}.` Now I would like to do the same with the client being a web browser and with a web application between the browser and slapd: browser (client cert) --> apache (PHP web application) --> slapd Client certificate authentication from the browser to apache is strightforward. Authenticating a PHP web application to the OpenLDAP directory using a client certificate is a bit trickier, but I see the way it should be done (ldap_sasl_bind is my friend). Therefore I can easily have the client authenticating to the web application, and the web application operating on the directory on behalf on the client (the web app should bind to the directory as a privilegied user that would have authzTo: *) But it would be nicer to actually have the client authenticate to slapd using its own client certificate. That is, having the web application behaving as a kind of proxy, without any special privilege on the directory. Is that possible? If it is, where should I start? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software