openldap-technical November 2008

openldap-technical@openldap.org

53 participants
60 discussions

Syncrepl question
by Ivan Ordonez 04 Dec '08

04 Dec '08

Hi all, We have a small size domain with about 500 users and computers. We are using Samba with Openldap integration to authenticate user login and file sharing. Our setup is consist of 3 servers running Gentoo Linux - 1PDC and 2BDCs. As for replication, we are still using "slurpd". Any changes or modification is done through the PDC which replicates the changes to BDC1, then from BDC1, it then goes down to BDC2 - it's like a chain. We want to start using "syncrepl" soon as a way to replicate our database but I'm not sure were to start. We want to setup all of our machine to sync with each other everyday, and not worry which machine is use to make changes, modification, etc.... I'm not sure which syncrepl function to use to achieve what we want to do. Is "N-Way Multi Master replication" the correct choice to do this? We are using "BDB" database on each servers, and would like to achieve this with minimal downtime if possible. What is the best way to do this? Please advise. Any help is greatly appreciated. -Ivan

3 12

{SSHA} for PHP
by Jack van Rock 01 Dec '08

01 Dec '08

Hi, I want to modify a website-login-system (PHP) to check passwords which are deocoded with SSHA. My script should compare the clear password, which I get from a FORM, with the SSHA-hash of the password, which is in the database (MySQL). The dates in the MySQL-DB comes from a LDAP. This is my script: <?php $password_sub = "test"; //Das Passwort erhalte ich über ein HTML-Formular $passsowrd_hash_db = base64_decode("e1NTSEF9aH...."); //Diesen base64-Hash erhalte ich aus der Datenbank. //Er wird gleich decodiert, da man daraus das $salt benötigt. //Dann hat er die Form {SSHA}hxtMi.... $salt = base64_decode(substr($passsowrd_hash_db , 32)); //Berechnung des $salt $hash = "{SSHA}" . base64_encode(pack("H*", sha1($password_sub.$salt)).$salt); ?> But the script doesn't work, because the generated hash isn't the same as the hash from the database. But I don't now, what's wrong? May someone help me? m@xx

2 1

SASL error
by Mansour Al Akeel 30 Nov '08

30 Nov '08

I am not able to modify a user from CLI. [root@neptune ~]# ldapsearch -D "cn=Manager,dc=test,dc=com" -W -b "dc=test,dc=com" -x -h localhost I get the all the enteries. However, When I do: [root@neptune ~]# ldapmodify -D "cn=Manager,dc=test,dc=com" -W -h localhost Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database If I use -x option, it hangs there for ever after I enter the password. Any idea ?

2 2

hello
by Donny George 28 Nov '08

28 Nov '08

Hello I installed ldap client and software on two ubuntu machines. but when i try to log in with the phpldapadmin gui it displays Network Error (tcp_error) A communication error occurred: "Connection refused" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time. i am new to ldap and i cudnt really find a forum or thread which was talking about this problem. hope someone can help me -- Donny George

2 1

Community request: Real World OpenLDAP Deployments
by Gavin Henry 28 Nov '08

28 Nov '08

Dear All, I'd like to get some examples written up for http://www.openldap.org/doc/admin24/appendix-deployments.html If anyone is interested and allowed to share some information, I'd love to hear from you. The more strange the setup the better! Many thanks, Gavin. -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.

3 2

Samba failed to bind Ldap
by Emil Sicad - ISD 26 Nov '08

26 Nov '08

Good day to all, Im new to LDAP, I've been working with SAMBA-LDAP implem. and i have these messages logs: Nov 25 17:56:59 smbldap slapd[9974]: sql_select option missing Nov 25 17:56:59 smbldap slapd[9974]: auxpropfunc error no mechanism available Nov 25 17:56:59 smbldap ldap: slapd startup succeededs Nov 25 17:57:07 smbldap smbd[9987]: [2008/11/25 17:57:07, 0] lib/smbldap.c:smbldap_connect_system(850) Nov 25 17:57:07 smbldap smbd[9987]: failed to bind to server with dn= cn=Manager,dc=fcb.net,dc=. Error: Can't contact LDAP server Nov 25 17:57:07 smbldap smbd[9987]: (unknown) Nov 25 17:57:23 smbldap smbd[9987]: [2008/11/25 17:57:23, 0] lib/smbldap.c:smbldap_search_suffix(1155) Nov 25 17:57:23 smbldap smbd[9987]: smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) Question 1) Is my ldap working fine? 2) Why can't samba bind to Ldap? Pls teach me to understand those kind errors. Emil Sicad Cebu Mitsumi Inc Information Systems Division

3 5

schema design and schema restrictions
by Mansour Al Akeel 26 Nov '08

26 Nov '08

Hello all, I an new to LDAP, and I have a need to migrate the existing system to ldap as this will ease a bit the management for the new system implementation. I need to authenticate users for a web site, and for the internal system ( linux, windows stations .... etc). Now the available account objectclass is structural so I can not user inetorgperson with account as both are structural. In this case I decided to extend inetOrgPerson, and add username and password as a MUST attributes. This is because all the users have access to the web site and they need authentication, but some users will need to have access to the machines. In this case I will create a new objectClass (ie. accountInfo) which containts the info I need (home directory, shell, loginScript, .... etc). The issue here is how do I restrict the accountInfo to be added under User ? This is in fact not only specific to this senario. I couldn't find any docs about how to prevent objectClass domain to be added under group ! Finally, how do other ldap admin deal with similar cases ? Any advice ? thank you.

4 13

Tracking down persistent OpenLDAP corruption
by Gilbert Wilson 26 Nov '08

26 Nov '08

So... I'm having a problem with persistent corruption in Apple's Open Directory. I believe this corruption is related to OpenLDAP and the BerkeleyDB. I was hoping that folks here might be able to help me track down whether this is the problem or not. Essentially, what is happening is that user accounts will "disappear" from workgroup manager and dscl[1]. Accounts that have maintained a persistent connection will continue to be authenticated. But, accounts that are not authenticated will be unable to authenticate. The Directory Administrator account, for example, cannot authenticate at these times. If I restart slapd, all the missing accounts that had persistent connections will no longer be able to authenticate. An LDIF export, however, will show that the accounts are all still there. A regular repair and a catastrophic repair of of the BerkleyDB does not work.[2] The first time this happened, it DID work, but subsequent events have not been so easily fixed. A restore from backup is the only way to fix it. However, I suspect that there is malformed data lurking somewhere in the OpenLDAP system. The backups all have this malformed data. Thus, it doesn't take very much for the system to get corrupted again. A hard shutdown does it every time, and a minor upgrade to the OS did it, too. The standard suggested fix is destroy and rebuild the Open Directory setup. For obvious reasons, I would like to avoid this. I want to know *what* is happening. If it is, in fact, malformed data that is becoming corrupt, *what* data should I be examining, *where* is it located, and *how* do I check it for anomalies? Has anyone else had this kind of persistent corruption of their LDAP system? What was causing it? How did you find it? Any leads or words of wisdom would be greatly appreciated. Gilbert Wilson [1] http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/dsc… [2] http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/db_…

2 1

Disabling User Account
by piyush joshi 26 Nov '08

26 Nov '08

Dear Team, Is there any Schema or Attribute which can be used to disable user account if that account is not being used from one month or by providing date in advance to disable the account in future automatically. -- Regards Piyush Joshi 9415414376

3 2

Re: Delta-sync symptom in 2.4.11
by William Jojo 25 Nov '08

25 Nov '08

---- Original message ---- >Date: Thu, 20 Nov 2008 11:02:40 -0800 >From: Quanah Gibson-Mount <quanah(a)zimbra.com> >Subject: Re: Delta-sync symptom in 2.4.11 >To: William Jojo <w.jojo(a)hvcc.edu>,openldap-technical(a)openldap.org > >--On Thursday, November 20, 2008 10:38 AM -0500 William Jojo ><w.jojo(a)hvcc.edu> wrote: > > >> Otherwise this is just like test043, except or the missing dn's. :-) >> >> Any ideas? > >Try current RE24 CVS. There have been a number of replication related >fixes made since 2.4.11. > I just tried 2.4.13. The problem still persists. I will check out the CVS version in the morning. Cheers, Bill >--Quanah > >-- > >Quanah Gibson-Mount >Principal Software Engineer >Zimbra, Inc >-------------------- >Zimbra :: the leader in open source messaging and collaboration

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2008