Active Directory caching
by Adrian Marsh
Hi All,
I'm looking for some references/answers as to how OpenLDAP and Active
Directory work with regards to caching.
The scenario I'm seeing is this:
I have Apache on a RHEL5 machine authenticating users via LDAP. Its set
to cache for 600s, so I dont overload the server unnecessarily.
What I'm seeing though, is that something somewhere is caching old
passwords. I can change the users password several times, and LDAP will
authenticate using any of the passwords previously used. I've tried
some timing tests of my own, and it seems that it takes up to 50mins for
me first password change to take effect (an odd time to me).
So I'm trying to figure out whos caching the other passwords, is it
LDAP, or is it AD ? And if so where are the settings to look at? And
what timers are involved? I actually don't mind the idea of caching
older passwords, but only so long as I know how long it will be for, and
what mechanism is doing it, then I can change it if need be.
I'm setting these directives (taken straight from the Apache examples).
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
My setups quite simple. Ive one Domain Controller. No proxies involved.
I've read what I can online, and am getting stuck.
Thanks,
Adrian
14 years, 4 months
Debugging a user authentication
by Adrian Marsh
Hi All,
Using Apache 2.2, how do I debug the LDAP lookups being made to a 2003
Domain Controller. Ive one user whos failing to authenticate, but all
my other users do and Im trying to see who. He authenticates ok, same
password via other mechanisms to the DC, but just not via the Apache
LDAP lookup.
I'm an LDAP novice so am looking for names of debug tools/methods etc.
Thanks,
Adrian
14 years, 4 months
LDAP logs
by Tom Cooper
Hi all,
I am running openldap 2.3.27 and in the database directory log files are
created called log.00000xxxx where xxxx is an incrementing number. Each
log file is 10MB in size. Searching for it it looks like Berkely DB
logs. How do I get rid of it as it chews up my disk space quite quickly?
I have noticed that if they are deleted, my database becomes corrupted.
Thanks.
Tom
To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html
If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer(a)fnb.co.za and we will send you a copy of the Disclaimer.
14 years, 4 months
startup ldap problem
by GanGan
hello all,
My problem, when I start my server ldap in my log
Nov 13 12:34:10 srvtest3 slapd[3738]: daemon: shutdown requested and
initiated.
Nov 13 12:34:10 srvtest3 slapd[3738]: slapd shutdown: waiting for 0 threads
to terminate
Nov 13 12:34:10 srvtest3 slapd[3738]: slapd stopped.
Nov 13 12:34:12 srvtest3 slapd[3800]: @(#) $OpenLDAP: slapd 2.3.27 (Jul 2
2008 04:29:17) $
brewbuilder@hs20-bc2-2.build.redhat.com:/builddir/build/BUIL
D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
Nov 13 12:34:12 srvtest3 slapd[3800]: nss_ldap: could not search LDAP
server - Server is unavailable
Nov 13 12:34:12 srvtest3 slapd[3800]: nss_ldap: could not search LDAP
server - Server is unavailable
Nov 13 12:34:12 srvtest3 slapd[3800]: /etc/openldap/slapd.conf: line 55:
rootdn is always granted unlimited privileges.
Nov 13 12:34:12 srvtest3 slapd[3800]: /etc/openldap/slapd.conf: line 60:
rootdn is always granted unlimited privileges.
Nov 13 12:34:12 srvtest3 slapd[3800]: /etc/openldap/slapd.conf: line 65:
rootdn is always granted unlimited privileges.
Nov 13 12:34:12 srvtest3 slapd[3801]: slapd starting
I do not understand where is the problem, in my /etc/ldap.conf ?
this command :
getent passwd
no user displays ldap
someone would have an idea?
thanks
--
- GanGan -
14 years, 4 months
(no subject)
by Bad Guy
Dear all,
I am running the openldap 2.4.11 with 4 way masters (SID=001 to 004) configured. (my suffix is empty in slapd.conf)
The data can be synced initially. I add records in 1 server and all the other 3 servers will have the new record added. However, I found that after running for some time, one server will have corrupted contextCSN in SID=001.
dn:
contextCSN:: sCttCIio0wAxNTQzMTMuMDQ1Mjk3WiMwMDAwMDAjMDAyIzAwMDAwMA==
contextCSN: 20081107061013.853051Z#000000#001#000000
contextCSN: 20081107073602.911356Z#000000#003#000000
contextCSN: 20081107061028.825773Z#000000#004#000000
The contextCSN for SID=002 in server 1 is corrupted. So, whenever there is an update in SID=002 server, the SID=001 server will never get the update,
however, when there is update in SID=003 or SID=004 server, the records will get updated in SID=001.
We have a background cron job in each server running at 1 minutes interval to retrieve the records and set some user defined attributes if it meet some certain criteria.
What's the cause to this corruption ? Is there any way to recover the corrupted contextCSN by command or script without rebuild the data ?
Thanks
_________________________________________________________________
用部落格分享照片、影音、趣味小工具和最愛清單,盡情秀出你自己 — Windows Live Spaces
http://spaces.live.com/
14 years, 4 months
Password protection of TLS key
by Akke Bengtsson
Is it still a requirement that TLS keys must have their password nullified
before using them in an openldap context?
Some experimentation with slapd startup has revealed that for some
combinations of OS and OpenLDAP version, I will be given a prompt for the
TLS password and can also input it and the slapd daemon starts correctly.
On other systems, I was prompted for the password but before I even could
enter it, the slapd startup crashed. The tests were all performed doing a
manual startup via "/etc/init.d/ldap start".
Automatic startup means that the password, instead of being entered by a
person, has to reside on file and thereby be accessible to potential
intruders.
Is there any way to prevent unprotected keys or passwords to keys in this
context?
Akke Bengtsson
14 years, 4 months
Cannot modify directory entry with custom attribute
by James S. White
I cannot add a custom objectclass to a directory entry. When I remove my custom
objectclass and attributes, I can modify the entry normally. When I add them,
I get an "Invalid Syntax (21)" error. I've googled extensively, and can find
other cases of this happening, but not an effective solution. What am I missing
here?
Details:
#/etc/ldap/schema/venn.schema
attributetype ( 1.1.2.1.1 NAME 'vennBase'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.1.2.1.2 NAME 'vennClass'
DESC 'A single set this host belongs to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
objectClass ( 1.1.2.2.1 NAME 'vennHost'
SUP top
AUXILIARY
MUST ( vennBase $ vennClass )
)
#added to /etc/ldap/slapd.conf
include /etc/ldap/schema/venn.schema
# command
/etc/init.d/slapd restart
#freyr.ldif
dn: cn=freyr,ou=Hosts,dc=websages,dc=com
cn: freyr
objectclass: top
objectclass: ipHost
objectclass: device
objectclass: vennHost
ipHostNumber: 72.14.177.235
vennBase: debian-etch
vennClass: ldap_server
vennClass: bind9_server
vennClass: cfengine_server
vennClass: openldap_server
vennClass: irc_server
# command
ldapmodify -xh freyr.websages.com -D "cn=root,dc=websages,dc=com" -f freyr.ldif -W
#error
modifying entry "cn=freyr,ou=Hosts,dc=websages,dc=com"
ldap_modify: Invalid syntax (21)
additional info: objectclass: value #3 invalid per syntax
if I remove all the venn* stuff from the .ldif, everything works fine...
Any help would be appreciated.
14 years, 4 months
moving ldap-db via file-copying?
by Silvana
Hello!
I hope you can help me, migrate my old ldap-db, problem is this:
Our old server was running with ldap2.2.7? to serve as backend to the
sambaserver and as of today its refusing to work or give errors
(the ldap-daemon seems to start, but doesn't open the port, is not
accessible, gives no errors and has to be killed, because stopping it
gives no reaction)
now, i've set up a new machine, to use ldap, given it the same suffix, cn,
etc. the version of ldap is a newer one, than on the old box, although
i'm not sure, how far they are removed.
is it in some way possible, to just copy the files in /var/lib/ldap/ from
the old server and insert them into the new box in the same folder? if so,
which files would be ok to overwrite, which not? or woul i have to tweak
some other files for that as well?
or is this completely inconceivable (as i dread is the case), and if yes,
how am i to get the files from the old server to the new one?
any help on this would be greatly appreciated
bye
silvana
14 years, 4 months
Re: ldap attributes - performance problem?
by Pavlos Parissis
On Sun, 09 Nov 2008 08:52:21 -0800
radim.roska(a)gmail.com wrote:
> Hi,
>
> ok..then i guess there is not a problem :)..of course I'll add indexes, but
> I was just thinking if its ok to have a lot of same attributes..
If the schema allows multiple values for this attribute then from OL point of view is fine.
I assume that apache or any other LDAP client which is going to fetch this attribute will correctly handle the multiple values.
Cheers,
Pavlos
>
> thanks,
> Radim
>
> On Nov 9, 2008 11:43am, Pavlos Parissis <p_pavlos(a)freemail.gr> wrote:
> > Hi,
> >
> >
> >
> > I don't real understand your concerns.
> >
> >
> >
> > Are you worry about LDAP search performance?
> >
> > Adding indexes is your solution on this.
> >
> >
> >
> > Cheers,
> >
> > Pavlos
> >
> >
> >
> >
> >
> > On Sat, 8 Nov 2008 21:15:02 +0100
> >
> > "Radim Roska" wrote:
> >
> >
> >
> > > Hi,
> >
> > >
> >
> > > I'm thinking about solution to following problem: authorization to
> >
> > > directories on our file server (accessed by webdav). Is it a performance
> >
> > > issue to build solution on following pattern?
> >
> > >
> >
> > > part of user's ldif
> >
> > > ...
> >
> > > uid=someone
> >
> > > allow_dir: directory1
> >
> > > allow_dir: directory2
> >
> > > allow_dir: directory3
> >
> > > allow_dir: directory4
> >
> > >
> >
> > > and then just htaccess directives in apache for every of these
> directories
> >
> > > :)
> >
> > >
> >
> > >
> >
> > > it could happen that someone would have eg 50 of these
> attributes...would
> >
> > > it be a problem?
> >
> > >
> >
> > > Thanks for advice and advanced opinion :)
> >
> > > Radim
> >
> > >
> >
>
14 years, 4 months
ldap attributes - performance problem?
by Radim Roska
Hi,
I'm thinking about solution to following problem: authorization to
directories on our file server (accessed by webdav). Is it a performance
issue to build solution on following pattern?
part of user's ldif
...
uid=someone
allow_dir: directory1
allow_dir: directory2
allow_dir: directory3
allow_dir: directory4
and then just htaccess directives in apache for every of these directories
:)
it could happen that someone would have e.g. 50 of these attributes...would
it be a problem?
Thanks for advice and advanced opinion :)
Radim
14 years, 4 months
