Upgrade from openldap 2.4.9 to 2.4.12
by Paul Lee
Dear all,
I am currently having 4 LDAP servers running in 4-way masters mode, the
current version is 2.4.9 and there are around 100k records.
The db version is 4.2.
If I want to upgrade to version 2.4.12, I should upgrade the db to 4.4
or above, right ?
but if the db version is upgraded, how to preserve my existing 100k
records, any formal procedure to convert the data to the new format ?
Is my following procedure correct ?
- upgrade the db version to 4.4
- upgrade openldap in 1 machine to 2.4.12
- delete all the files in /usr/local/var/openldap-data
- stop 2 more openldap servers, leaving only 1 running version 2.4.9
- start the new server running version 2.4.12, then, records will be
created in 2.4.12.
- repeat for others servers.
Is this correct ?
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be
legally privileged. If this e-mail has been sent to you by mistake please inform us by reply
e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the
information in it.
15 years, 1 month
Security issue : userPassword is shown
by Paul Lee
Hi all,
I use a 3rd party LDAP browser to browse the users that I created. I
can see the userPassword clearly (plain text).
Is there any way to avoid this ?
When I use slapcat command to export to LDIF file, the userPassword
field is encrypted, but why using 3rd party browser will show the
password in plain text ?
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be
legally privileged. If this e-mail has been sent to you by mistake please inform us by reply
e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the
information in it.
15 years, 1 month
LDAP + SAMBA PDC
by Arun NAIR
Hey Guys,
I have made an LDAP + Samba PDC and am able to add users to it as well.
But when I try to login using ssh to the user name I get the error
message Permission denied (publickey,gssapi-with-mic,password). I'm
really reaching the deadlines now and have tried all the resources I
could get my hands on it would be greatly appreciated if you guys can
help me out with this.
Regards,
Arun Nair
15 years, 1 month
Case sensitive uid attribute
by Martin Benson
Hi
I am currently using Buchan Milne's OpenLDAP 2.3.43 rpm's on a RHEL 4.4
installation. I use the core, cosine, inetorgperson and NIS schema's and
everything works great. I mainly use OpenLDAP as an authentication server
and I have a problem where the uid is not case sensitive. If I create a user
called "Martin" then it will also allow me to log in as "martin" and then
fails as it cannot find my home directory. I have had a look at the schema
files and in the core.schema and the core.ldif the uid entry is commented
out. It contains an entry "EQUALITY caseIgnoreMatch" and I tried to change
it to "EQUALITY caseExactMatch". Now I realise that I shouldn't be touching
the core.schema but I don't know how else to do this without invalidating
all the entries in the current database. No surprise but changing the
attribute and uncommenting the uid entry did not work so any help would be
appreciated. Sorry for not including all the usual files like slapd.conf but
they are on the server at work and I am at home.
Martin Benson
15 years, 1 month
How to confirm syncrepl is working properly
by Mike Simonton
Hello everyone,
I'm trying to learn how to use OpenLDAP and syncrepl, and I have two issues.
First, how do I get past the following error, and second, how do I confirm
that syncrepl is actually working??
Here's the slaptest error:
# slaptest -f /usr/local/etc/openldap/slapd.conf
bdb_db_open: warning - no DB_CONFIG file found in directory
/usr/local/var/openldap-data: (2).
Expect poor performance for suffix "dc=promptutech,dc=local".
bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
config file testing succeeded
...and here's my slapd.conf. Any ideas??
cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/promptu.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /opt/promptu/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to *
by dn.base="cn=replica,dc=promptutech,dc=local" read
by * break
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=promptutech,dc=local"
rootdn "cn=Manager,dc=promptutech,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index entryCSN eq
index entryUUID eq
syncrepl rid=0
provider=ldap://ptsunray02
type=refreshOnly
interval=00:00:05:00
searchbase="dc=promptutech,dc=local"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=replica,dc=promptutech,dc=local"
credentials="secret"
updateref ldap://localhost
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 100 10
Thanks for your help!
Mike
15 years, 1 month
LDAP proxy for AD
by Lynn York
Hello,
I have been attempting to use openldap as a proxy to AD with no success.
I have attempted multiple different ways that I found online. I am able to
get the proxy server to connect to AD, but I cannot get a client server to
connect through the proxy to the AD server. Can anyone suggest anything?
-Lynn
15 years, 1 month
TLS not working (even though SSL does) -- logging trouble
by Kyle Barger
I have an OpenLDAP 2.3 server that is up and running. I have been
trying to add SSL and TLS. SSL connections on port 636 work fine.
However the TLS connection on 389 is not working. The only errors are
"TLS accept failure" and "TLS negotiation failure." I've not been able
to dig up any more information, even using the -d option, and I notice
that people have posted log files with detailed TLS trace messages. How
can I enable the TLS logging to find out what's going on? Thanks.
--
Kyle Barger
Director of Information Systems
The Lutheran Theological Seminary at Philadelphia
(For questions about your computer, network, or telephone service,
email helpdesk(a)ltsp.edu)
15 years, 1 month
Issue while implementing Password Policy
by daljeet.mehta@wipro.com
Hi,
I am trying to implement password policy in OpenLDAP.
There are already similar postings on the same issue. But I tried all
the possible solutions and now I am really tired after one week.
Here are the details about my problem
Operating System: Red Hat Linux ES 5.0
OpenLDAP Release: 2.3.39
During the addition of userPassword node I get the following error.
ldapadd -f
/root/openldap/openldap-2.3.39/servers/slapd/schema/paswd_policy1.ldif
-D "cn=Manager,dc=xyz,dc=com" -w secret -x
adding new entry
"cn=default,ouname=ppolicy,oname=P_Policy,dc=xyz,dc=com"
ldapadd: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
Then after reading some of the issues related to it, I tried every
possible solution. I added overlay path in my slapd.conf and I got the
following error.
./slapd -f /root/openldap/openldap-2.3.39/servers/slapd/slapd.conf -d 1
@(#) $OpenLDAP: slapd 2.3.39 (Aug 25 2008 11:38:51) $
root@localhost.localdomain:/root/openldap/openldap-2.3.39/servers/slapd
<mailto:root@localhost.localdomain:/root/openldap/openldap-2.3.39/server
s/slapd>
daemon_init: listen on ldap:/// <ldap:///>
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:/// <ldap:///> )
daemon: listener initialized ldap:/// <ldap:///>
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September
12, 2006)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September
12, 2006)
overlay "ppolicy" not found
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Following is my configuration file snapshot:-
# This file should NOT be world readable.
#
include
/root/openldap/openldap-2.3.39/servers/slapd/schema/core.schema
include
/root/openldap/openldap-2.3.39/servers/slapd/schema/local.schema
include
/root/openldap/openldap-2.3.39/servers/slapd/schema/java.schema
include
/root/openldap/openldap.3.39/servers/slapd/schema/inetorgperson.schema
#include
/root/openldap/openldap-2.3.39/servers/slapd/schema/ppolicy.schema
include /etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org <ldap://root.openldap.org/>
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
modulepath /root/openldap/openldap-2.3.39
modulepath /servers/slapd/overlays
modulepath /usr/sbin
moduleload ppolicy.la
moduleload back_hdb.la
moduleload back_monitor.la
#modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
moduleload ppolicy.la
moduleload /root/openldap/openldap-2.3.39/libraries/libldap
overlay ppolicy
ppolicy_default "cn=default,ouname=ppolicy,oname=P_POLICY,dc=xyz,dc=com"
ppolicy_use_lockout
#overlay ppolicy
#overlay refint
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=xyz,dc=com"
rootdn "cn=Manager,dc=xyz,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
Trust me I did R & D for 7 days. Even I did a free installation of same
version and of newer version(2.4.11 release) also I got the same error.
Can you please tell me the steps to make this working. Now it has become
matter of life and death for me and I will do possibly anything resolve
it.
Thanks in advance for your help.
Thanks & Regards,
Daljeet Mehta
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
15 years, 1 month
