openldap-technical December 2008

openldap-technical@openldap.org

58 participants
71 discussions

Cache/Proxy/Replicating a distant, slow LDAP server
by Morten Mikkelsen 18 Feb '09

18 Feb '09

Hi. I work at a rather large company that has a rather slow LDAP server that impacts the performance on a wiki-server, I am using. I am playing with the idea of setting up a cache or replication of the company LDAP server locally to reduce time spent performing ldap lookups, but as I am quite new to the world of LDAP and openldap, I have a hard time getting the set-up right. I would like to set up a server that does not impose any requirements on the existing (slow) server at all. I only need a read-only server - updates are made on the slow 'master' - and only a few percent of the records are interesting to our wiki. Having looked at caching and proxying, I ended up at setting my mind on replication. As the master is out-of-bounds except for ldap queries (no slurping-logs), the syncrepl-option seems to be the way to go. I just can't get my head around the configuration. The master LDAP has the following structure (as I see it) o=company.com -> ou=commondirectory -> c=xx Under commondirectory, all countries (such as 'dk', 'us' and a whole bunch of others) are represented with the employees residing in them listed below. o=company.com -> ou=companygroups -> ou=groupmembers contain groups that are used for controlling access to the wiki pages. So what I need to have on my replicated server is: The groups and people in the countries 'us' and 'dk'. To start off easy, I try to replicate the c=dk at first - I've tried adding the following to /etc/ldap/slapd.conf syncrepl rid=111 provider=ldap://ldap.company.com:389 type=refreshOnly interval=00:12:00:00 searchbase="c=dk,ou=commondirectory,o=company.com" scope=one updatedn="c=dk,ou=commondirectory,o=company.com" which make the server start without errormessages, but when I query with ldapsearch -x -h 127.0.0.1 -b "c=dk,ou=commondirectory,o=company.com" '(objectClass=*)' I get no result: "result: 32 No such object" What am I doing wrong? -- /Morten

3 3

OpenLDAP as a 'generic' hierarchical data store
by Lorenzo Pastrana 09 Jan '09

09 Jan '09

Hello list, I was wondering lately if I could use OpenLDAP as a 'generic' hierarchical data store for the application I'm planning, and tried to get any hint about feasibility. I found a blog post about OpenDS (http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database), where the author states about Read/write performance parity ... That was the kind of news I just wanted to hear because I'm thinking about a persistence back-end, not just an almost static dataset, but I'm in a genuine PHP environment and Java is not an option; so I naturally tried to get some infos regarding OpenLDAP performance but found nothing recent, and the references I could find are quite discouraging on that matter ... However since 4 to 8 years have passed since the tests I've been reading, I'm still in the hope of a 'a pleasant surprise' as the sun guy sayz ... Does someone has an experience to share about that kind of (mis-)usage of OpenLDAP ? Any pointers to some good and recent reference on the matter are of course well come. Thanks in advance for any information. LP Lorenzo Pastrana - Happy End Vision -------------------------- Design web Conception multimédia Communication visuelle et édition -------------------------- Tél. : 01 42 47 83 09 Fax : 01 47 70 70 19 E-mail : lorenzo.pastrana(a)happyend.fr

5 9

authenticate a user to LDAP server using GSS-SPNEGO and Kerberos
by Deepika Srivastava 07 Jan '09

07 Jan '09

Hi I have to authenticate a user to LDAP server using GSS-SPNEGO and Kerberos as base mechanism. I have successfully generated the TGT. Now I want to use ldap_sasl_bind_s() function with "GSS-SPNEGO" as mechanism. I am not sure of the parameters to pass. I read on http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/apis… in case of Kerberos,we can use the above mentioned ticket if we have the TGT.Just we need to pass 'cred' and 'dn' as NULL and the functional will automatically take care of the rest of the mechanism under covers. ldap_sasl_bind_s (g_hLDAP,"", "GSS-SPNEGO" ,NULL,NULL,NULL, &servercredp ) This is how I am calling the function but is throwing LDAP_PARAM_ERROR. I am not sure of the reason. Can anyone help me on the reason? Also i wanted to know that do we need to any configurations at the LDAP server end to do enable kerberos authentication. Also do i need to call krb5_mk_req() before calling ldap_sasl_bind_s() or can i directly call ldap_sasl_bind_s()? Can anyone help me on the flow of API for achieving complete authentication after achieving the kerberos ticket. . Any thoughts?

2 1

Database is getting corrupted
by Jason Voorhees 05 Jan '09

05 Jan '09

Hi all: I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an LDAP tree based on Phamm sample LDIF files. I have these database definition in slapd.conf: database bdb suffix "dc=redtube,dc=com" rootdn "cn=manager,dc=redtube,dc=com" rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24 directory /var/lib/ldap mode 660 index objectClass eq index cn,mail eq,subinitial index vd,delete eq,pres index accountActive,forwardActive eq,pres index smtpAuth eq,pres index sn,uid,displayName pres,eq,sub index uidNumber,gidNumber eq index default sub I always do the following: 1. # rm /var/lib/ldap/* (to be sure i'm starting from scratch) 2. # slapadd -b dc=redtube,dc=com redtube.ldif After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all the other files have -w----r-T as permissions and are owned by root.root . Is that correct? Well, as far as I know they should be owned by ldap user and ldap group with 0660 permissions asigned (based on "mode" directive in slapd.conf). So I do the following: 3. # chown ldap.ldap /var/lib/ldap/* # chmod 660 /var/lib/ldap/* (/var/lib/ldap directory is 0700 and owned by ldap.ldap already) 4. I check against posible errors and then start OpenLDAP: # slapd -Tt # service ldap start 5. OpenLDAP starts correctly, it works perfectly. I can even do modificatons to the LDAP tree adding entries based on attributes like vd, cn, mail, among others. I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I guess that's ok. My problem comes when I try to perform some operation that causes OpenLDAP to create an index file in /var/lib/ldap. In example, when I try to log in with rootdn trough phpldapadmin I get something like this in logs: Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 BIND dn="" method=128 Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT tag=97 err=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com" scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)" Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn Dec 30 11:31:22 ha1 slapd[1889]: bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed: Permission denied (13) Dec 30 11:31:22 ha1 slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 closed I don't know why phpldapadmin performs a search based on a filter like "(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me. Then I stop and start OpenLDAP and I start getting this: # /etc/init.d/ldap stop Stopping slapd: [ OK ] # /etc/init.d/ldap start Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2) Expect poor performance for suffix dc=mailtest,dc=com. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ] Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is getting permission denied messages? The hole directory /var/lib/ldap is owned by ldap user with 660 permissions. Can anybody help me? Thanks

3 6

LDAP - Samba
by Terry Haley 30 Dec '08

30 Dec '08

Ok, I'm trying to wrangle this under control with this setup I've inherited and have run across a few speed bumps. Here's the state of things as is. I've made a few changes to the setup thinking that I've fixed an issue or two and have in fact only confused myself and possibly my configuration. The downside is that I don't know a few key passwords that was used in the original setup. (yay no overlap with my predecessor). I have a samba server acting as my PDC with an LDAP server used for authentication. Question #1: the password contained within the LDAP directory for my 'admin' account should = the 'rootpw' entry in slapd.conf correct? Question #2: the 'ldap admin dn' entry in my smb.conf file should equal the 'rootdn' entry in my slapd.conf file, afterwhich, this should be updated to samba using smbpasswd -w correct? Question #3: the 'admin users' entry within the smb.conf are the users that allow access to the domain correct? Currently, what I'm working with here is that I don't know the 'admin, samba or the samba-admin' passwords. The samba-admin account is just an LDAP admin account but Not the root account. This should be fixed to the above question 2 yes? I would like to change all of these passwords but am fearful that I could make things worse. Also, regarding the components on my network (machines specifically), will there be an issue if I change the 'samba' account (domain account) password with their ability to connect to the domain? Thank you in advance for any help and advice! The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

4 3

Constant corruptions
by Jason Voorhees 30 Dec '08

30 Dec '08

Hi there: I'm still having problems with my OpenLDAP 2.3.27 from CentOS 5. I know that index directive in slapd.conf causes the creation of .bdb files in /var/lib/ldap, right? If I have this in slapd.conf: index uid,smtpAuth eq,pres ... so in some moment uid.bdb and smtpAuth.bdb will be created in /var/lib/ldap, right? When I create my ldap tree using slapadd and an LDIF file then several .bdb files get created under /var/lib/ldap, but some other no because of there are no attributes of that type in LDIF file. But when OpenLDAP is already running thanks to a simple search like "(smtpAuth=TRUE)" then slapd tries to create smtpAuth.bdb but that's when it fails. I get this message: slapd[11954]: bdb(dc=redtube,dc=com): /var/lib/ldap/smtpAuth.bdb: Permission denied slapd[11954]: bdb_db_cache: db_open(smtpAuth) failed: Permission denied (13) Does anybody know why slapd isn't able to create new index files? Permissions and ownership are totally correct. Any help? :( P.D.: I'm running openldap in a centos paravirtualized with Xen. It could be this the problem?

1 0

Re: Re: TLS config causes Object class violation
by forumuser＠online.de 30 Dec '08

30 Dec '08

Thanks!!! That's it! Like you said, I changed my TLSconfiguration.ldif file to point to "dn: cn=config" and it worked. I've once already seen the olcTLS* in the olcGlobal, however, I am new to LDAP backend database configuration, only used slapd.conf before. Thank you very much for the solution! I wish you a happy new year Belem ----- Ursprüngliche Nachricht ----- Von: Pierangelo Masarati Gesendet: 28.12.08 21:35 Uhr An: forumuser(a)online.de Betreff: Re: TLS config causes Object class violation olcTLSCACertificateFile belongs to olcGlobal, while you're trying to add it to a database object. Add it to cn=config instead. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

TLS config causes Object class violation
by forumuser＠online.de 28 Dec '08

28 Dec '08

Recently I upgraded my Ubuntu Server 8.04 to 8.10 and had to reconfigure OpenLDAP (installed by apt-get) through slapd backend database (I used slapd.config before). I have reconfigured OpenLDAP by "sudo dpkg-reconfigure slapd" and confirmed all prior settings, however the old database was moved to /var/backup/ and a fresh one was generated (please see config tree at the end). The problem is, I get following error message..: ldap_modify: Object class violation (65) additional info: attribute 'olcTLSCACertificateFile' not allowed (even olcTLSCertificateFile, if I leave out olcTLSCACertificateFile... olcTLS* seems "not allowed") ..when I try to configure TLS by ldapmodify: ldapmodify -D cn=admin,cn=config -W -x by entering this: dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/servercert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/serverkey.pem The config tree is as follows (I will change "mydomain" and ACL later): dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mydomain,dc=org olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=org" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=org" write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq Here's my "sudo apt-cache show slapd" packet information: Package: slapd Priority: optional Section: net Installed-Size: 3872 Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss(a)lists.ubuntu.com> Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Architecture: i386 Source: openldap Version: 2.4.11-0ubuntu6 Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-utils (<< 2.2.23-3), libldap2 Provides: ldap-server, libslapi-2.4-2 Depends: libc6 (>= 2.4), libdb4.2, libgcrypt11 (>= 1.4.0), libgnutls26 (>= 2.4.0-0), libldap-2.4-2 (= 2.4.11-0ubuntu6), libltdl7 (>= 2.2.4), libperl5.10 (>= 5.10.0), libsasl2-2, libslp1, libtasn1-3 (>= 0.3.4), libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11-1), zlib1g (>= 1:1.1.4), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser Pre-Depends: debconf (>= 0.5) | debconf-2.0 Recommends: libsasl2-modules, apparmor (>= 2.1+1075-0ubuntu6) Suggests: ldap-utils Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd Filename: pool/main/o/openldap/slapd_2.4.11-0ubuntu6_i386.deb Size: 1466528 MD5sum: 41047db9f250c0e73e2e3c43c5d90f5a SHA1: 4c23c98d55851fef7ec4ff5e4fa8d7cd1c885da9 SHA256: 107e5df3dea5a0571a2f99df1d7c919247a4223a991a99e8393b0915e39f1fc9 Description-de: OpenLDAP-Server (slapd) This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service. Homepage: http://www.openldap.org/ Bugs: mailto:ubuntu-users@lists.ubuntu.com Origin: Ubuntu (libgnutls26 is of version: 2.4.1-1build1) Can someone help me with this "Object class violation (65)" problem concerning TLS? Belem

2 1

Named pipe to local ldap slave fails when master is down.
by Jan Hugo Prins 27 Dec '08

27 Dec '08

Hi I've got a strange thing yesterday. The server that is doing my master ldap went down due to some software glitch. Al my MDA's are running there own slave ldap so they don't have to go to the master server, but what surprised me, the slaves didn't want to service anything on there named pipe while the master server was down. Why is this? The MTA's also use the ldap on the MDA's but they didn't have any problem during this master ldap outage. The only difference between the MDA's and the MTA's is that the MTA's connect to ldap with TCP/IP while the MDA's connect to ldap with a named pipe. I use syncrepl for replication. My master server is running version 2.4.12 on Fedora 10. My slave servers are running 2.3.43 on Fedora 7. In the near future I want to make this master server a dual master setup with a different server that I'm currently building. But for now I have just one master. This really breaks my whole anti SPOF setup. Can anyone tell me what is causing this? Greetings, Jan Hugo Prins

2 1

Check out my Facebook profile
by Rakesh Yadav 25 Dec '08

25 Dec '08

Hi openldap-technical, I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Rakesh To sign up for Facebook, follow the link below: http://www.facebook.com/p.php?i=682100664&k=64D665VZRWVM5CEDXA64U4&r

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2008