Cache/Proxy/Replicating a distant, slow LDAP server
by Morten Mikkelsen
Hi.
I work at a rather large company that has a rather slow LDAP server
that impacts the performance on a wiki-server, I am using.
I am playing with the idea of setting up a cache or replication of the
company LDAP server locally to reduce time spent performing ldap
lookups, but as I am quite new to the world of LDAP and openldap, I
have a hard time getting the set-up right.
I would like to set up a server that does not impose any requirements
on the existing (slow) server at all. I only need a read-only server -
updates are made on the slow 'master' - and only a few percent of the
records are interesting to our wiki.
Having looked at caching and proxying, I ended up at setting my mind
on replication. As the master is out-of-bounds except for ldap queries
(no slurping-logs), the syncrepl-option seems to be the way to go.
I just can't get my head around the configuration.
The master LDAP has the following structure (as I see it)
o=company.com -> ou=commondirectory -> c=xx
Under commondirectory, all countries (such as 'dk', 'us' and a whole
bunch of others) are represented with the employees residing in them
listed below.
o=company.com -> ou=companygroups -> ou=groupmembers contain groups
that are used for controlling access to the wiki pages.
So what I need to have on my replicated server is: The groups and
people in the countries 'us' and 'dk'.
To start off easy, I try to replicate the c=dk at first - I've tried
adding the following to /etc/ldap/slapd.conf
syncrepl rid=111
provider=ldap://ldap.company.com:389
type=refreshOnly
interval=00:12:00:00
searchbase="c=dk,ou=commondirectory,o=company.com"
scope=one
updatedn="c=dk,ou=commondirectory,o=company.com"
which make the server start without errormessages, but when I query with
ldapsearch -x -h 127.0.0.1 -b "c=dk,ou=commondirectory,o=company.com"
'(objectClass=*)' I get no result: "result: 32 No such object"
What am I doing wrong?
--
/Morten
13 years, 11 months
OpenLDAP as a 'generic' hierarchical data store
by Lorenzo Pastrana
Hello list,
I was wondering lately if I could use OpenLDAP as a 'generic'
hierarchical data store for the application I'm planning, and tried to
get any hint about feasibility. I found a blog post about OpenDS
(http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database),
where the author states about Read/write performance parity ...
That was the kind of news I just wanted to hear because I'm thinking
about a persistence back-end, not just an almost static dataset, but I'm
in a genuine PHP environment and Java is not an option; so I naturally
tried to get some infos regarding OpenLDAP performance but found nothing
recent, and the references I could find are quite discouraging on that
matter ...
However since 4 to 8 years have passed since the tests I've been
reading, I'm still in the hope of a 'a pleasant surprise' as the sun guy
sayz ...
Does someone has an experience to share about that kind of (mis-)usage
of OpenLDAP ?
Any pointers to some good and recent reference on the matter are of
course well come.
Thanks in advance for any information.
LP
Lorenzo Pastrana - Happy End Vision
--------------------------
Design web
Conception multimédia
Communication visuelle et édition
--------------------------
Tél. : 01 42 47 83 09
Fax : 01 47 70 70 19
E-mail : lorenzo.pastrana(a)happyend.fr
14 years
authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
by Deepika Srivastava
Hi
I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
as base mechanism.
I have successfully generated the TGT.
Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as
mechanism.
I am not sure of the parameters to pass.
I read on
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/ap...
in case of Kerberos,we can use the above mentioned ticket if we have
the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will
automatically take care of the rest of the mechanism under covers.
ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp )
This is how I am calling the function but is throwing LDAP_PARAM_ERROR.
I am not sure of the reason. Can anyone help me on the reason?
Also i wanted to know that do we need to any configurations at the LDAP
server end to do enable kerberos authentication.
Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or
can i directly call ldap_sasl_bind_s()?
Can anyone help me on the flow of API for achieving complete authentication
after achieving the kerberos ticket.
.
Any thoughts?
14 years
Database is getting corrupted
by Jason Voorhees
Hi all:
I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an
LDAP tree based on Phamm sample LDIF files.
I have these database definition in slapd.conf:
database bdb
suffix "dc=redtube,dc=com"
rootdn "cn=manager,dc=redtube,dc=com"
rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24
directory /var/lib/ldap
mode 660
index objectClass eq
index cn,mail eq,subinitial
index vd,delete eq,pres
index accountActive,forwardActive eq,pres
index smtpAuth eq,pres
index sn,uid,displayName pres,eq,sub
index uidNumber,gidNumber eq
index default sub
I always do the following:
1. # rm /var/lib/ldap/*
(to be sure i'm starting from scratch)
2. # slapadd -b dc=redtube,dc=com redtube.ldif
After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all
the other files have -w----r-T as permissions and are owned by root.root
. Is that correct?
Well, as far as I know they should be owned by ldap user and ldap group
with 0660 permissions asigned (based on "mode" directive in slapd.conf).
So I do the following:
3. # chown ldap.ldap /var/lib/ldap/*
# chmod 660 /var/lib/ldap/*
(/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
4. I check against posible errors and then start OpenLDAP:
# slapd -Tt
# service ldap start
5. OpenLDAP starts correctly, it works perfectly. I can even do
modificatons to the LDAP tree adding entries based on attributes like
vd, cn, mail, among others.
I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I
guess that's ok.
My problem comes when I try to perform some operation that causes
OpenLDAP to create an index file in /var/lib/ldap.
In example, when I try to log in with rootdn trough phpldapadmin I get
something like this in logs:
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from
IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1
slapd[1889]: conn=5 op=0 BIND dn="" method=128
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT
tag=97 err=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com"
scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn
Dec 30 11:31:22 ha1 slapd[1889]:
bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied
Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed:
Permission denied (13) Dec 30 11:31:22 ha1
slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13)
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH
RESULT tag=101 err=0 nentries=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND
Dec 30 11:31:22 ha1 slapd[1889]: conn=5
fd=12 closed
I don't know why phpldapadmin performs a search based on a filter like
"(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
Then I stop and start OpenLDAP and I start getting this:
# /etc/init.d/ldap stop
Stopping slapd: [ OK ]
# /etc/init.d/ldap start
Checking configuration files for slapd: bdb_db_open: unclean shutdown
detected; attempting recovery.
bdb_db_open: Warning - No DB_CONFIG file found in directory
/var/lib/ldap: (2)
Expect poor performance for suffix dc=mailtest,dc=com.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
errors are encountered.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is
getting permission denied messages? The hole directory /var/lib/ldap is
owned by ldap user with 660 permissions.
Can anybody help me? Thanks
14 years, 1 month
LDAP - Samba
by Terry Haley
Ok, I'm trying to wrangle this under control with this setup I've
inherited and have run across a few speed bumps. Here's the state of
things as is.
I've made a few changes to the setup thinking that I've fixed an issue
or two and have in fact only confused myself and possibly my
configuration. The downside is that I don't know a few key passwords
that was used in the original setup. (yay no overlap with my
predecessor).
I have a samba server acting as my PDC with an LDAP server used for
authentication. Question #1: the password contained within the LDAP
directory for my 'admin' account should = the 'rootpw' entry in
slapd.conf correct?
Question #2: the 'ldap admin dn' entry in my smb.conf file should
equal the 'rootdn' entry in my slapd.conf file, afterwhich, this
should be updated to samba using smbpasswd -w correct?
Question #3: the 'admin users' entry within the smb.conf are the users
that allow access to the domain correct?
Currently, what I'm working with here is that I don't know the 'admin,
samba or the samba-admin' passwords. The samba-admin account is just
an LDAP admin account but Not the root account. This should be fixed
to the above question 2 yes? I would like to change all of these
passwords but am fearful that I could make things worse.
Also, regarding the components on my network (machines specifically),
will there be an issue if I change the 'samba' account (domain
account) password with their ability to connect to the domain?
Thank you in advance for any help and advice!
The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
14 years, 1 month
Constant corruptions
by Jason Voorhees
Hi there:
I'm still having problems with my OpenLDAP 2.3.27 from CentOS 5.
I know that index directive in slapd.conf causes the creation of .bdb
files in /var/lib/ldap, right?
If I have this in slapd.conf:
index uid,smtpAuth eq,pres
... so in some moment uid.bdb and smtpAuth.bdb will be created in
/var/lib/ldap, right?
When I create my ldap tree using slapadd and an LDIF file then several
.bdb files get created under /var/lib/ldap, but some other no because of
there are no attributes of that type in LDIF file.
But when OpenLDAP is already running thanks to a simple search like
"(smtpAuth=TRUE)" then slapd tries to create smtpAuth.bdb but that's
when it fails. I get this message:
slapd[11954]: bdb(dc=redtube,dc=com): /var/lib/ldap/smtpAuth.bdb:
Permission denied
slapd[11954]: bdb_db_cache: db_open(smtpAuth) failed: Permission denied (13)
Does anybody know why slapd isn't able to create new index files?
Permissions and ownership are totally correct.
Any help? :(
P.D.: I'm running openldap in a centos paravirtualized with Xen. It
could be this the problem?
14 years, 1 month
Re: Re: TLS config causes Object class violation
by forumuser@online.de
Thanks!!! That's it!
Like you said, I changed my TLSconfiguration.ldif file to point to "dn: cn=config" and it worked.
I've once already seen the olcTLS* in the olcGlobal, however, I am new to LDAP backend database configuration, only used slapd.conf before. Thank you very much for the solution!
I wish you a happy new year
Belem
----- Ursprüngliche Nachricht -----
Von: Pierangelo Masarati
Gesendet: 28.12.08 21:35 Uhr
An: forumuser(a)online.de
Betreff: Re: TLS config causes Object class violation
olcTLSCACertificateFile belongs to olcGlobal, while you're trying to add
it to a database object. Add it to cn=config instead.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
14 years, 1 month
TLS config causes Object class violation
by forumuser@online.de
Recently I upgraded my Ubuntu Server 8.04 to 8.10 and had to reconfigure OpenLDAP (installed by apt-get) through slapd backend database (I used slapd.config before). I have reconfigured OpenLDAP by "sudo dpkg-reconfigure slapd" and confirmed all prior settings, however the old database was moved to /var/backup/ and a fresh one was generated (please see config tree at the end).
The problem is, I get following error message..:
ldap_modify: Object class violation (65)
additional info: attribute 'olcTLSCACertificateFile' not allowed
(even olcTLSCertificateFile, if I leave out olcTLSCACertificateFile... olcTLS* seems "not allowed")
..when I try to configure TLS by ldapmodify:
ldapmodify -D cn=admin,cn=config -W -x
by entering this:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/servercert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/serverkey.pem
The config tree is as follows (I will change "mydomain" and ACL later):
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=mydomain,dc=org" write by anonymous
auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=org"
write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
Here's my "sudo apt-cache show slapd" packet information:
Package: slapd
Priority: optional
Section: net
Installed-Size: 3872
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss(a)lists.ubuntu.com>
Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org>
Architecture: i386
Source: openldap
Version: 2.4.11-0ubuntu6
Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-utils (<< 2.2.23-3), libldap2
Provides: ldap-server, libslapi-2.4-2
Depends: libc6 (>= 2.4), libdb4.2, libgcrypt11 (>= 1.4.0), libgnutls26 (>= 2.4.0-0), libldap-2.4-2 (= 2.4.11-0ubuntu6), libltdl7 (>= 2.2.4), libperl5.10 (>= 5.10.0), libsasl2-2, libslp1, libtasn1-3 (>= 0.3.4), libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11-1), zlib1g (>= 1:1.1.4), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser
Pre-Depends: debconf (>= 0.5) | debconf-2.0
Recommends: libsasl2-modules, apparmor (>= 2.1+1075-0ubuntu6)
Suggests: ldap-utils
Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
Filename: pool/main/o/openldap/slapd_2.4.11-0ubuntu6_i386.deb
Size: 1466528
MD5sum: 41047db9f250c0e73e2e3c43c5d90f5a
SHA1: 4c23c98d55851fef7ec4ff5e4fa8d7cd1c885da9
SHA256: 107e5df3dea5a0571a2f99df1d7c919247a4223a991a99e8393b0915e39f1fc9
Description-de: OpenLDAP-Server (slapd)
This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service.
Homepage: http://www.openldap.org/
Bugs: mailto:ubuntu-users@lists.ubuntu.com
Origin: Ubuntu
(libgnutls26 is of version: 2.4.1-1build1)
Can someone help me with this "Object class violation (65)" problem concerning TLS?
Belem
14 years, 1 month
Named pipe to local ldap slave fails when master is down.
by Jan Hugo Prins
Hi
I've got a strange thing yesterday.
The server that is doing my master ldap went down due to some software
glitch.
Al my MDA's are running there own slave ldap so they don't have to go to
the master server, but what surprised me, the slaves didn't want to
service anything on there named pipe while the master server was down.
Why is this?
The MTA's also use the ldap on the MDA's but they didn't have any
problem during this master ldap outage.
The only difference between the MDA's and the MTA's is that the MTA's
connect to ldap with TCP/IP while the MDA's connect to ldap with a named
pipe.
I use syncrepl for replication.
My master server is running version 2.4.12 on Fedora 10.
My slave servers are running 2.3.43 on Fedora 7.
In the near future I want to make this master server a dual master setup
with a different server that I'm currently building.
But for now I have just one master.
This really breaks my whole anti SPOF setup.
Can anyone tell me what is causing this?
Greetings,
Jan Hugo Prins
14 years, 1 month