openldap-technical January 2008

openldap-technical@openldap.org

48 participants
57 discussions

migrating to another server - restore problem - slapcat slapadd
by Christophe Dumonet 24 Jan '08

24 Jan '08

Hello, I'm migrating from an old openldap server to a new one. So, I have done a dump of the ldap database with a " slapcat -l mydump.ldap -f /etc/openldap/slapd.conf -b "dc=mycompany,dc=com" --> So I had a dump ldif file where organisational units and dn are not in hierarchical order. In my new server ( which works fine , I can ldapadd some ou,dn , no problem) --> The slapadd command doesn't work because my ldap data in the ldif file is not in hierarchical order. I can't re-order manually this because it's a important database ( the ldif --> 50Mo). My slapadd command to restore is : slapadd -l mydump.ldif -f /etc/openldap/slapd.conf -b "dc=mycompany,dc=com" and the errors are relative to the ldif OU order, I had trying to cut/paste in the ldif file some OUs to reorder and errors are reporting to another OUs...which are not in hierachical order ! How can I do to restore quickly my data to my new server ? Any help would be appreciated, Christophe Dumonet, From france -- ---------------------------------------------------- Christophe Dumonet Centre de Ressources Informatiques Institut Francais de Mecanique Avancee (IFMA) Campus des Cezeaux BP 265 63175 AUBIERE Cedex Tel : +33 - 4.73.28.80.64 Fax : +33 - 4.73.28.81.00 Mail : Christophe.Dumonet(a)ifma.fr ----------------------------------------------------

4 6

Syncrepl multimaster replication issue
by Penza Kenneth at MITTS 23 Jan '08

23 Jan '08

People, I am currently trying to setup a multi-master ldap setup. The setup is running on CentOS 5.1 with kernel 2.6.18-53.el5. In this setup I have migrated the UNIX authentication files using MigrationTools and everything worked fine. When I am trying to setup the replication I am encountering a strange behavior. The initial synchronization was performed by copying /var/lib/ldap directory when openldap was shutdown. On starting both nodes query each other and everything seems operating correctly. When I perform a change on either node, the node performs the local change however it is not propagated on the other node and in the /var/log/ldap.log I get the following message: When ever the change is made on ldap1 it reports: Jan 23 10:10:43 ldap1 slapd[5787]: null_callback : error code 0x10 Jan 23 10:10:43 ldap1 slapd[5787]: syncrepl_updateCookie: rid=002 be_modify failed (16) When ever the change is made on ldap2 it reports: Jan 23 10:40:31 ldap2 slapd[5677]: null_callback : error code 0x10 Jan 23 10:40:31 ldap2 slapd[5677]: syncrepl_updateCookie: rid=002 be_modify failed (16) Setup details: cd /root/ldap_inst tar xvzf db-4.6.21.tar.gz tar xvzf openldap-2.4.7.tgz cd db-4.6.21 cd build_unix/ ../dist/configure --prefix=/usr make clean (as root) make (as root) cd /usr/share/libtool/libltdl configure --prefix=/usr make make install (as root) cd /root/ldap_install/openldap-2.4.7 ./configure --prefix=/usrd /usr/share/libtool/libltdl./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --with-tls --without-cyrus-sasl -enable-modules -enable-bdb=mod -enable-hdb=mod -enable-ldap=mod --enable-crypt make depend make make install (as root) This procedure was completed on two nodes, namely ldap1 and ldap2. This slapd.conf of each nodes is as follows: Ldap1: cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args modulepath /usr/sbin/openldap moduleload back_bdb.la TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem serverID 1 ldap://ldap1:389/ serverID 2 ldap://ldap2:389/ database bdb suffix "dc=linuxldap,dc=org" rootdn "cn=Manager,dc=linuxldap,dc=org" rootpw secret directory /var/lib/ldap checkpoint 128 15 cachesize 10000 dncachesize 5000 idlcachesize 30000 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 index objectClass,entryUUID,entryCSN eq #syncRepl rid=001 # provider=ldap://ldap1:389 # binddn="cn=Manager,dc=linuxldap,dc=org" # bindmethod=simple # credentials=secret # searchbase="dc=linuxldap,dc=org" # type=refreshOnly # interval=00:00:00:05 # retry="5 5 300 5" # timeout=1 syncRepl rid=002 provider=ldap://ldap2:389 binddn="cn=Manager,dc=linuxldap,dc=org" bindmethod=simple credentials=secret searchbase="dc=linuxldap,dc=org" type=refreshOnly interval=00:00:00:05 retry="5 5 300 5" timeout=1 mirrormode true sockbuf_max_incoming 5000 sockbuf_max_incoming_auth 5000 database monitor Ldap2: cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args modulepath /usr/sbin/openldap moduleload back_bdb.la TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem serverID 1 ldap://ldap1:389/ serverID 2 ldap://ldap2:389/ database bdb suffix "dc=linuxldap,dc=org" rootdn "cn=Manager,dc=linuxldap,dc=org" rootpw secret directory /var/lib/ldap checkpoint 128 15 cachesize 10000 dncachesize 5000 idlcachesize 30000 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 index objectClass,entryUUID,entryCSN eq syncRepl rid=001 provider=ldap://ldap1:389 binddn="cn=Manager,dc=linuxldap,dc=org" bindmethod=simple credentials=secret searchbase="dc=linuxldap,dc=org" type=refreshOnly interval=00:00:00:05 retry="5 5 300 5" timeout=1 #syncRepl rid=002 # provider=ldap://ldap2:389 # binddn="cn=Manager,dc=linuxldap,dc=org" # bindmethod=simple # credentials=secret # searchbase="dc=linuxldap,dc=org" # type=refreshOnly # interval=00:00:00:05 # retry="5 5 300 5" # timeout=1 mirrormode true sockbuf_max_incoming 5000 sockbuf_max_incoming_auth 5000 database monitor Regards, Kenneth Penza

3 2

Ldap ppolicy schema entries
by Ljunghammar, Darryl K 23 Jan '08

23 Jan '08

I would like to view the ppolicy schema attributes for a user when I do a "ldapsearch" but they don't show up. For example, I would like to see the "pwdHistory" attribute for a user. I know it is being updated because if I enter a previously used password it tells me it can't be reused. I am using openldap 2.3.39-3 on a Redhat 5.1 system. TIA, Darryl

2 1

Adding new LDIF entries
by David Moderski 23 Jan '08

23 Jan '08

I am having trouble finding the correct information about adding new entries. For example, if I am loading the initial directory, do the entries need to have changetype: add or is changetype: add only used for adding attributes to existing entries? -- Dave Moderski Programmer/Analyst Atlantic Cape Community College 609-625-1111 ext. 5298

2 1

Need a multi-client schema
by Carr, Chris 23 Jan '08

23 Jan '08

[deep breath, disclaimer: I am a knowledgeable end user, having administered a LAN of Linux and Windows PCs at home for several years, but I don't code and I knew nothing of LDAP until recently. I originally submitted this to openldap-software, but the moderator said it was more appopriate for this list. I have lurked for a week with increasing agitation at my lack of technical knowledge - apologies if this question is too stupid for most of you.] I run an IMAP server on my Linux box at home (Debian Etch), so that I can read my mail from anywhere, using any IMAP client (Outlook at work, Evolution at home, Thunderbird at my in-laws, etc.). I got frustrated with having to export and import my contacts all the time, never remembering which client had the most up-to-date set. So I looked into setting up my own LDAP server so they could live in one place, available to any client, just like the email. Sadly it doesn't seem to be that simple. Apt-get install slapd went fine - Debian was even so kind as to set up a bdb database for me with suffix "dc=mydomain", so all I had to do was create a rootdn and rootpw in slapd.conf. I painstakingly exported my contacts from Outlook as CSV, via Evolution as vCard then via http://labs.brotherli.ch/vcfconvert/ into LDIF. But trying to import the result into slapd gave lots of errors, and this is when I discovered the joys of schemata. The vCard-to-LDIF converter uses a variant Mozilla-address-book schema which slapd doesn't understand. I tried tweaking the LDIF file with this python script (http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/476224) but that fell over because some of my contacts don't have email addresses. So slapd is up and running but I have no way of importing my contact info without doing some Python hacking or re-keying the info (about 400 records). Basic question: is there an existing schema that I can include in slapd.conf which will allow my contacts to be intelligible to all the clients I use (let alone might use)? They are just basic person data: names, postal addresses, phone/fax numbers, email addresses, etc. Assuming no, can I combine a schema for each client, if I can find one? For example, the Mozilla one is here (https://bugzilla.mozilla.org/attachment.cgi?id=166746), which will work for Thunderbird, SeaMonkey etc. If I can find one for Evolution and one for Outlook, could I just include them all, or would there be incompatibilities? (Even if there aren't, a quick look at the Mozilla one leads me to suspect that I would need to duplicate numerous fields.) Does anyone successfully use LDAP with multiple clients? Is there an easy way to do it? Judging from the 'AD-style AUX classes' thread there are some issues with Outlook - in the first instance I would be happy if both Evolution and Thunderbird/SeaMonkey could see and edit the same contact data. Thanks in advance for any help, and apologies for the lengthy footer over which I have no control, CC This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer

3 7

Openldap / windows active directory sync
by अनुज Anuj Singh 23 Jan '08

23 Jan '08

Hi, I have one microsoft windows active directory server, 1. How to implement Openldap and Windows dircetory sync so that any user can get authorized from Openldap or M$ active directory. 2. User information/password sync How to sync windows Active directory with Openldap vice-versa. any tutorial/ how to? Thanks and regards Anuj

1 0

openldap 2.4.7 Segfault when deleting olcAccess parameter from cn=config
by Faraz Khan 22 Jan '08

22 Jan '08

When trying to delete a single olcAccess attribute from cn=config the openldap server crashes. The client library (php) returns error code -1 (cant contact LDAP Server) and the openldap server crashes. The delete operation is: dn: olcDatabase={2}bdb,cn=config changetype: modify delete: olcAccess olcAccess: 2 This behavior is not consistent. Sometimes the server crashes while sometimes it will report back : modifying entry "olcDatabase={2}bdb,cn=config" ldap_modify: No such attribute (16) It might continue to say Error 19 for a while (3-4 times) and on the 5th time the operation completes successfully. However, the dn at this time seems to contain NO entries. After this slapd crashes. Restarting will show that the operation was never ACTUALLY completed. The segfault trace is: ber_dump: buf=0x82c1ef0 ptr=0x82c1ef3 end=0x82c1f2c len=57 0000: 66 37 04 1c 6f 6c 63 64 61 74 61 62 61 73 65 3d f7..olcdatabase= 0010: 7b 32 7d 62 64 62 2c 63 6e 3d 63 6f 6e 66 69 67 {2}bdb,cn=config 0020: 30 17 30 15 0a 01 01 30 10 04 09 6f 6c 63 61 63 0.0....0...olcac 0030: 63 65 73 73 31 03 04 01 32 cess1...2 conn=0 op=3 do_modify: dn (olcdatabase={2}bdb,cn=config) ber_scanf fmt ({e{m[W]}}) ber: ber_dump: buf=0x82c1ef0 ptr=0x82c1f15 end=0x82c1f2c len=23 0000: 30 15 0a 01 01 30 10 04 09 6f 6c 63 61 63 63 65 0....0...olcacce 0010: 73 73 31 03 04 01 32 ss1...2 >>> dnPrettyNormal: <olcdatabase={2}bdb,cn=config> => ldap_bv2dn(olcdatabase={2}bdb,cn=config,0) <= ldap_bv2dn(olcdatabase={2}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcDatabase={2}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcDatabase={2}bdb,cn=config)=0 <<< dnPrettyNormal: <olcDatabase={2}bdb,cn=config>, <olcDatabase={2}bdb,cn=config> conn=0 op=3 modifications: delete: olcaccess one value, length 1 conn=0 op=3 MOD dn="olcDatabase={2}bdb,cn=config" conn=0 op=3 MOD attr=olcaccess <= acl_access_allowed: granted to database root Segmentation fault -- Faraz R Khan Chief Architect Emergen Consulting Pvt Ltd www.emergen.biz

2 1

> posixGroup & memberOf
by vip43＠mail.ru 22 Jan '08

22 Jan '08

Hi colleagues, HOW to make posixGroup a memberOf another posixGroup?? ... : nis.schema > posixGroup objectclass : ---------- objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ member $ description ) ) ----------- and where is "memberOf" ?? it seems it must present in MUST.., IMHO openldapAdminGuide promised to add "memberOf attr to posixGroup..,. can i do it myself ?? And what GUI-tool can rule this moment ??,- i'm using http://ldapadmin.sourceforge.net/ , but it can't.

2 3

AD-style AUX classes
by Andrew Bartlett 21 Jan '08

21 Jan '08

I'm not quite sure what I'm looking for here, sorry: In Samba4, we don't yet have full schema validation. In some ways it just has not been a priority - we validate that the attribute and objectClasses exist, but not that they match up. In using OpenLDAP, I'm hoping to avoid having to write that logic, so I stopped adding extensibleObject to all our objectClass values, and replaced it with samba4Top, contaning all the things that AD's top contains, but OpenLDAPs does not. So far so good, but AD has: dn: CN=Domain-DNS,${SCHEMADN} objectClass: top objectClass: classSchema subClassOf: domain systemAuxiliaryClass: samDomain Looking at http://www.grotan.com/ldap/microsoft.ext.schema I created entries in my schema file like: dITContentRule ( 1.2.840.113556.1.5.67 NAME 'domainDNS' AUX ( samDomain ) ) dITContentRule ( 1.2.840.113556.1.5.3 NAME 'samDomain' AUX ( samDomainBase ) ) This created two problems: It appears that you cannot create a ditContentRule for a non-structural objectClass (samDomain is AUXILIARY), and even if I do, I can't tack on the samba4Top on the end, because of: Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail) ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION - <class 'samba4Top' not allowed by content rule 'domainDNS'> <> Is there a different approach I should be taking? I need to extend 'top' without extending OpenLDAP's hardcoded top, and I need something that looks like dITcontentRule without the restrictions. Any hints? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

5 16

MinGW, OpenLDAP and OpenSSL
by Jonathan Bowman 20 Jan '08

20 Jan '08

Greetings all, I recently set out to compile OpenLDAP with SSL/TLS on Windows using MinGW, so that I could compile Ruby/LDAP and python-ldap. It took me a while to find my way, and I frequently wished there were easy instructions online, all in one place. Once I successfully finished, I posted my instructions here: http://bowmansolutions.com/mingw-openldap/ I would love feedback on these instructions, affirmation or criticism. My apologies if they duplicate what is already out there. Regards, Jonathan Bowman

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2008