openldap-technical October 2008

openldap-technical@openldap.org

59 participants
63 discussions

Upgrade from openldap 2.4.9 to 2.4.12
by Paul Lee 23 Oct '08

23 Oct '08

Dear all, I am currently having 4 LDAP servers running in 4-way masters mode, the current version is 2.4.9 and there are around 100k records. The db version is 4.2. If I want to upgrade to version 2.4.12, I should upgrade the db to 4.4 or above, right ? but if the db version is upgraded, how to preserve my existing 100k records, any formal procedure to convert the data to the new format ? Is my following procedure correct ? - upgrade the db version to 4.4 - upgrade openldap in 1 machine to 2.4.12 - delete all the files in /usr/local/var/openldap-data - stop 2 more openldap servers, leaving only 1 running version 2.4.9 - start the new server running version 2.4.12, then, records will be created in 2.4.12. - repeat for others servers. Is this correct ? Thanks Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.

3 5

Security issue : userPassword is shown
by Paul Lee 23 Oct '08

23 Oct '08

Hi all, I use a 3rd party LDAP browser to browse the users that I created. I can see the userPassword clearly (plain text). Is there any way to avoid this ? When I use slapcat command to export to LDIF file, the userPassword field is encrypted, but why using 3rd party browser will show the password in plain text ? Thanks Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.

6 7

Re: Upgrade from openldap 2.4.9 to 2.4.12
by Oliver Liebel 23 Oct '08

23 Oct '08

yes. absolutely correct: 2.4.12 needs 4.4+ http://www.openldap.org/software/release/readme.html Rein Tollevik schrieb: > Oliver Liebel skrev: >> keep it simple. >> first, theres no need of upgrading your bdb. >> 4.2.52 has the longest history to be stable. >> for bdb versions, see: >> http://www.openldap.org/lists/openldap-technical/200807/msg00138.html > > As of version 2.4.12, the bdb backend only support db versions 4.4 and > higher. See the README file. So the upgrade from 4.2 *is* required. > > Rein Tollevik > Basefarm AS > > ____________ Virus checked by G DATA AntiVirusKit Version: AVK 19.1180 from 23.10.2008 Virus news: www.antiviruslab.com

1 0

LDAP + SAMBA PDC
by Arun NAIR 23 Oct '08

23 Oct '08

Hey Guys, I have made an LDAP + Samba PDC and am able to add users to it as well. But when I try to login using ssh to the user name I get the error message Permission denied (publickey,gssapi-with-mic,password). I'm really reaching the deadlines now and have tried all the resources I could get my hands on it would be greatly appreciated if you guys can help me out with this. Regards, Arun Nair

3 2

Case sensitive uid attribute
by Martin Benson 22 Oct '08

22 Oct '08

Hi I am currently using Buchan Milne's OpenLDAP 2.3.43 rpm's on a RHEL 4.4 installation. I use the core, cosine, inetorgperson and NIS schema's and everything works great. I mainly use OpenLDAP as an authentication server and I have a problem where the uid is not case sensitive. If I create a user called "Martin" then it will also allow me to log in as "martin" and then fails as it cannot find my home directory. I have had a look at the schema files and in the core.schema and the core.ldif the uid entry is commented out. It contains an entry "EQUALITY caseIgnoreMatch" and I tried to change it to "EQUALITY caseExactMatch". Now I realise that I shouldn't be touching the core.schema but I don't know how else to do this without invalidating all the entries in the current database. No surprise but changing the attribute and uncommenting the uid entry did not work so any help would be appreciated. Sorry for not including all the usual files like slapd.conf but they are on the server at work and I am at home. Martin Benson

2 1

How to confirm syncrepl is working properly
by Mike Simonton 22 Oct '08

22 Oct '08

Hello everyone, I'm trying to learn how to use OpenLDAP and syncrepl, and I have two issues. First, how do I get past the following error, and second, how do I confirm that syncrepl is actually working?? Here's the slaptest error: # slaptest -f /usr/local/etc/openldap/slapd.conf bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2). Expect poor performance for suffix "dc=promptutech,dc=local". bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded ...and here's my slapd.conf. Any ideas?? cat /usr/local/etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/promptu.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Load dynamic backend modules: # modulepath /opt/promptu/openldap/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! access to * by dn.base="cn=replica,dc=promptutech,dc=local" read by * break ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=promptutech,dc=local" rootdn "cn=Manager,dc=promptutech,dc=local" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq index entryCSN eq index entryUUID eq syncrepl rid=0 provider=ldap://ptsunray02 type=refreshOnly interval=00:00:05:00 searchbase="dc=promptutech,dc=local" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=replica,dc=promptutech,dc=local" credentials="secret" updateref ldap://localhost mirrormode TRUE overlay syncprov syncprov-checkpoint 100 10 Thanks for your help! Mike

2 2

How to disable or enable an ldap user account
by RamakrishnaDeepak Battu 22 Oct '08

22 Oct '08

Hello everyone, Can any one point me to how u can disable/enable an ldap user account.Thanks in advance. regards, deepak.

7 6

LDAP proxy for AD
by Lynn York 22 Oct '08

22 Oct '08

Hello, I have been attempting to use openldap as a proxy to AD with no success. I have attempted multiple different ways that I found online. I am able to get the proxy server to connect to AD, but I cannot get a client server to connect through the proxy to the AD server. Can anyone suggest anything? -Lynn

7 22

TLS not working (even though SSL does) -- logging trouble
by Kyle Barger 21 Oct '08

21 Oct '08

I have an OpenLDAP 2.3 server that is up and running. I have been trying to add SSL and TLS. SSL connections on port 636 work fine. However the TLS connection on 389 is not working. The only errors are "TLS accept failure" and "TLS negotiation failure." I've not been able to dig up any more information, even using the -d option, and I notice that people have posted log files with detailed TLS trace messages. How can I enable the TLS logging to find out what's going on? Thanks. -- Kyle Barger Director of Information Systems The Lutheran Theological Seminary at Philadelphia (For questions about your computer, network, or telephone service, email helpdesk(a)ltsp.edu)

2 1

Issue while implementing Password Policy
by daljeet.mehta＠wipro.com 21 Oct '08

21 Oct '08

Hi, I am trying to implement password policy in OpenLDAP. There are already similar postings on the same issue. But I tried all the possible solutions and now I am really tired after one week. Here are the details about my problem Operating System: Red Hat Linux ES 5.0 OpenLDAP Release: 2.3.39 During the addition of userPassword node I get the following error. ldapadd -f /root/openldap/openldap-2.3.39/servers/slapd/schema/paswd_policy1.ldif -D "cn=Manager,dc=xyz,dc=com" -w secret -x adding new entry "cn=default,ouname=ppolicy,oname=P_Policy,dc=xyz,dc=com" ldapadd: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax Then after reading some of the issues related to it, I tried every possible solution. I added overlay path in my slapd.conf and I got the following error. ./slapd -f /root/openldap/openldap-2.3.39/servers/slapd/slapd.conf -d 1 @(#) $OpenLDAP: slapd 2.3.39 (Aug 25 2008 11:38:51) $ root@localhost.localdomain:/root/openldap/openldap-2.3.39/servers/slapd <mailto:root@localhost.localdomain:/root/openldap/openldap-2.3.39/server s/slapd> daemon_init: listen on ldap:/// <ldap:///> daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:/// <ldap:///> ) daemon: listener initialized ldap:/// <ldap:///> daemon_init: 2 listeners opened slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006) overlay "ppolicy" not found slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. Following is my configuration file snapshot:- # This file should NOT be world readable. # include /root/openldap/openldap-2.3.39/servers/slapd/schema/core.schema include /root/openldap/openldap-2.3.39/servers/slapd/schema/local.schema include /root/openldap/openldap-2.3.39/servers/slapd/schema/java.schema include /root/openldap/openldap.3.39/servers/slapd/schema/inetorgperson.schema #include /root/openldap/openldap-2.3.39/servers/slapd/schema/ppolicy.schema include /etc/openldap/schema/ppolicy.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org <ldap://root.openldap.org/> pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Load dynamic backend modules: modulepath /root/openldap/openldap-2.3.39 modulepath /servers/slapd/overlays modulepath /usr/sbin moduleload ppolicy.la moduleload back_hdb.la moduleload back_monitor.la #modulepath %MODULEDIR% # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la moduleload ppolicy.la moduleload /root/openldap/openldap-2.3.39/libraries/libldap overlay ppolicy ppolicy_default "cn=default,ouname=ppolicy,oname=P_POLICY,dc=xyz,dc=com" ppolicy_use_lockout #overlay ppolicy #overlay refint # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=xyz,dc=com" rootdn "cn=Manager,dc=xyz,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq Trust me I did R & D for 7 days. Even I did a free installation of same version and of newer version(2.4.11 release) also I got the same error. Can you please tell me the steps to make this working. Now it has become matter of life and death for me and I will do possibly anything resolve it. Thanks in advance for your help. Thanks & Regards, Daljeet Mehta Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2008