openldap-technical December 2008

openldap-technical@openldap.org

58 participants
71 discussions

schemacheck && valid objects check - just to note slapd behaviour
by Piotr Wadas 15 Dec '08

15 Dec '08

Hello, Using openldap 2.4.10 (x86), bdb backend. I had custom objectClass. I made it to be structuralObjectClass , and then created some object of this class in DIT. Everything works fine. Then (actually weeks later), I edited my objectClass definitionas, and made my custom objectClass to be an auxiliary class, and restarted slapd - everything was still working fine. Schema syntax is still valid, no schemacheck warnings. Then I did a slapcat dump - I realized what happened when came up, that I cannot load dump back with slapadd, because it contains objects, which, actually should generate errors. slapcat backups I did in the meantime was actually useless and I didn't note it. Now, I don't expect slapd to remove or ignore such objects, anyway while SERVING (returning), or indexing existing object of such kind, I'd expect some warning, that existing object does not conform existing schema. Or some tool to verify existing directory objects to find out about such situation - imagine if I hadn't been trying to retrieve from it for months, I wouldn't have learned it became useless :) May I please for some comments on such issue ? Regards, Piotr Wadas

2 1

Re: OpenLDAP replication
by Justin Lintz 15 Dec '08

15 Dec '08

Quanah, Looking at http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master it appears the example is with using cn=config to store the configuration. Is there an example somewhere with just using slapd.conf? - Justin Lintz On Thu, Dec 11, 2008 at 6:13 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, December 11, 2008 4:30 PM -0500 Justin Lintz > <jlintz(a)gmail.com> wrote: > >> Quanah, >> >> I'm still seeing the issue after making the change. I am able to >> however add entries to ldap02 and have them appear on ldap01, but not >> have them appear on ldap02. And adding anything to ldap01 does not >> get replicated to ldap02. Any other suggestions? >> - Justin Lintz > > Your email confuses me. I thought you were doing simple single > master/replica replication, but if you can modify on ldap02, then that means > it is not a replica. Or, it means you're writing to it via slapadd? That's > not legal. If you have a single master, writes must only occur to that > server. Otherwise, you need to set up MMR. The configs you sent before > certainly didn't indicate you were trying to do MMR. > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Synchronizing Openldap with Windows Active Directory
by Aravind Arjunan 14 Dec '08

14 Dec '08

hi, I like to know wheather it is possible to synchronize Windows Active directory with RHEL Openldap. Some of my users are in openldap and some of them in Active Directory all i want to synchronize these users. Am trying for synchronizing the above two,but am not finding any proper link to refer. If any one knows plz help me with the link to refer. with regards aravind

6 9

Re: OpenLDAP replication
by Justin Lintz 11 Dec '08

11 Dec '08

Quanah, Thanks for your quick reply. I've made the change. I thought I had taken it from the openldap documents but clearly did not after reviewing them, I must have gotten mixed up with all the tabs I had open. Looks like its best to stick to the official documents (and this mailing list) rather than the how-tos out there - Justin Lintz On Tue, Dec 9, 2008 at 9:21 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, December 09, 2008 6:05 PM -0800 Quanah Gibson-Mount > <quanah(a)zimbra.com> wrote: > >> --On Tuesday, December 09, 2008 4:45 PM -0500 Justin Lintz >> <jlintz(a)gmail.com> wrote: >> >>> Hi, >>> >>> I am currently working on trying to configure replication between 2 >>> ldap servers. Here is my current setup.... >>> >>> >>> slapd.conf on ldap02 is": >>> >>> directory /var/lib/ldap2.4 >>> checkpoint 256 5 >>> index objectClass eq >>> index cn,mail,surname,givenname >>> eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember >>> eq index uid >>> eq,subinitial index sambaSID,sambaDomainName,displayName >>> eq referral ldaps://ldap01/ >>> syncrepl rid=123 >>> provider=ldaps://ldap01/ >>> type=refreshAndPersist >>> searchbase="dc=example,dc=net" >>> scope=sub >>> schemachecking=off >>> bindmethod=simple >>> binddn="cn=manager,dc=example,dc=net" >>> attrs="*" >>> credentials= >> >> You should specify an attrs= line unless you know what you're doing. You > > s/should/should NOT/ > > :) > > --Quanah > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 2

Batch delete can't sync to other servers
by Bad Guy 11 Dec '08

11 Dec '08

Dear all, I have 4 LDAP servers running 2.4.11 and configured as 4 way masters. The sync type is refreshOnly and the interval is 30 sec. I create a LDIF file and contains about 500 entries in it. Then, I use ldapdelete -x -W -D "cn=Manager" -f delete.ldif to delete the 500 entries in server 1. Then, I check the other 3 servers, the 500 entries still exists. Only in server 1, those entries are not here. If I delete the entries one by one, the data can be deleted in the other 3 servers. Any idea ? Thanks _________________________________________________________________ 下載 Windows Live Messenger 8.5 搶鮮版，多元溝通、盡情分享，和即時傳訊好友線上同樂！— 立即下載 http://get.live.com/zh-cht-tw/betas/messenger_betas

1 0

not able to delete schema (using back-config)
by benjamin thielsen 10 Dec '08

10 Dec '08

hi- i've been experimenting with using back-config (2.4.11 courtesy of debian), and am able to add schema, but not able to delete the schema after being added. iirc, this should be possible in recent versions? i'm confident that the schema's not in use by any entries. adding the schema is successful: >ldapadd -xWD 'cn=admin,cn=config' -f java_schema.ldif Enter LDAP Password: adding new entry "cn={13}java,cn=schema,cn=config" ldapsearch confirms this: >ldapsearch -xWLLLb 'cn=schema,cn=config' -D 'cn=admin,cn=config' "(cn=*java*)" dn Enter LDAP Password: dn: cn={13}java,cn=schema,cn=config ldapdelete says: >ldapdelete -vxWD 'cn=admin,cn=config' 'cn={13}java,cn=schema,cn=config' ldap_initialize( <DEFAULT> ) Enter LDAP Password: deleting entry "cn={13}java,cn=schema,cn=config" ldap_delete: Server is unwilling to perform (53) i'm not seasoned at interpreting slapd debug output, but nothing specifically jumps out at me when running with -d -1: >>> dnPrettyNormal: <cn=admin,cn=config> => ldap_bv2dn(cn=admin,cn=config,0) <= ldap_bv2dn(cn=admin,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=admin,cn=config)=0 <<< dnPrettyNormal: <cn=admin,cn=config>, <cn=admin,cn=config> conn=1 op=0 BIND dn="cn=admin,cn=config" method=128 do_bind: version=3 dn="cn=admin,cn=config" method=128 conn=1 op=0 BIND dn="cn=admin,cn=config" mech=SIMPLE ssf=0 do_bind: v3 bind: "cn=admin,cn=config" to "cn=admin,cn=config" send_ldap_result: conn=1 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=1 op=0 RESULT tag=97 err=0 text= daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(13) connection_get(13): got connid=1 connection_read(13): checking for input on id=1 ber_get_next ldap_read: want=8, got=8 0000: 30 24 02 01 02 4a 1f 63 0$...J.c ldap_read: want=30, got=30 0000: 6e 3d 7b 31 33 7d 6a 61 76 61 2c 63 6e 3d 73 63 n={13}java,cn=sc 0010: 68 65 6d 61 2c 63 6e 3d 63 6f 6e 66 69 67 hema,cn=config ber_get_next: tag 0x30 len 36 contents: ber_dump: buf=0x8578290 ptr=0x8578290 end=0x85782b4 len=36 0000: 02 01 02 4a 1f 63 6e 3d 7b 31 33 7d 6a 61 76 61 ...J.cn={13}java 0010: 2c 63 6e 3d 73 63 68 65 6d 61 2c 63 6e 3d 63 6f ,cn=schema,cn=co 0020: 6e 66 69 67 nfig ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1 op=1 do_delete ber_scanf fmt (m) ber: ber_dump: buf=0x8578290 ptr=0x8578293 end=0x85782b4 len=33 0000: 4a 1f 63 6e 3d 7b 31 33 7d 6a 61 76 61 2c 63 6e J.cn={13}java,cn 0010: 3d 73 63 68 65 6d 61 2c 63 6e 3d 63 6f 6e 66 69 =schema,cn=confi 0020: 67 g >>> dnPrettyNormal: <cn={13}java,cn=schema,cn=config> => ldap_bv2dn(cn={13}java,cn=schema,cn=config,0) <= ldap_bv2dn(cn={13}java,cn=schema,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn={13}java,cn=schema,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn={13}java,cn=schema,cn=config)=0 <<< dnPrettyNormal: <cn={13}java,cn=schema,cn=config>, <cn={13}java,cn=schema,cn=config> conn=1 op=1 DEL dn="cn={13}java,cn=schema,cn=config" send_ldap_result: conn=1 op=1 p=3 send_ldap_result: err=53 matched="" text="" send_ldap_response: msgid=2 tag=107 err=53 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 02 6b 07 0a 01 35 04 00 04 00 0....k... 5.... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 6b 07 0a 01 35 04 00 04 00 0....k... 5.... conn=1 op=1 RESULT tag=107 err=53 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=NULL connection_get(13) connection_get(13): got connid=1 connection_read(13): checking for input on id=1 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x85e1d60 ptr=0x85e1d60 end=0x85e1d65 len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=1, closing. connection_closing: readying conn=1 sd=13 for close connection_close: deferring conn=1 sd=13 conn=1 op=2 do_unbind conn=1 op=2 UNBIND connection_resched: attempting closing conn=1 sd=13 connection_close: conn=1 sd=13 daemon: removing 13 conn=1 fd=13 closed daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL what am i doing wrong? -ben

3 3

trouble with regex type constraint overlay
by benjamin thielsen 10 Dec '08

10 Dec '08

i'm experimenting with the constrain overlay, and have what i think is a fairly simply constraint that's giving me trouble. below are the details. i believe i've followed slapo-constraint(5) (and regex(7)) accurately, but i must be missing something. >cat montage_admin.ldif dn: uid = admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com changetype: modify replace: uidNumber uidNumber: 5000 >ldapmodify -vxWD 'cn=admin,dc=ltn,dc=lvc,dc=com' -f montage_admin.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: replace uidNumber: 5000 modifying entry "uid = admin ,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com" ldap_modify: Constraint violation (19) additional info: modify breaks constraint on uidNumber >ldapsearch -vvxWLLLD 'cn=admin,dc=ltn,dc=lvc,dc=com' "(uid=admin)" ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (uid=admin) requesting: All userApplication attributes dn: uid =admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=c om userPassword:: e1NTSEF9TkF5TGVabXFWTU9zT01EZVNWdHA1Mm9uUWtOalg3cXY= objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top homeDirectory: /dev/null cn: admin uid: admin sn: admin givenName: admin gidNumber: 5001 uidNumber: 2016 >ldapsearch -vvxWLLLb 'cn=config' -D 'cn=admin,cn=config' "(objectClass=olcConstraintConfig)" ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (objectClass=olcConstraintConfig) requesting: All userApplication attributes dn: olcOverlay={3}constraint,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: {3}constraint olcConstraintAttribute: uidNumber regex ^[:digit:]*$ thanks -ben

2 3

olcMonitoring attribute
by benjamin thielsen 10 Dec '08

10 Dec '08

hi- i've recently begun using back-config and was looking for some more detail on the purpose of the olcMonitoring attribute. my googling and searching of the list archives have revealed not much beyond references in cn=schema.ldif. thanks -ben

3 2

Re: bdb encryption
by ghenry＠OpenLDAP.org 09 Dec '08

09 Dec '08

----- "Howard Chu" <hyc(a)symas.com> wrote: > ghenry(a)OpenLDAP.org wrote: > > Hi All, > > > > I'm just testing bdb encryption and it works as expected out of the > box. > > > > But I'm trying to decrypt it using the bdb tools: > > > > [ghenry@suretec openldap-data]$ > /usr/local/BerkeleyDB.4.7/bin/db_verify objectClass.bdb > > db_verify: Encrypted environment: no encryption key supplied > > Segmentation fault > > Interesting. It shouldn't segfault, perhaps you should report that as > a bug to > Oracle. Will do. If I use "cryptkey testing" all tools work. If I enter the wrong password using cryptkey is segfaults again after stating wrong pass. > > So it segfaults, but it's the same with the key: > > > > [ghenry@suretec openldap-data]$ > /usr/local/BerkeleyDB.4.7/bin/db_verify -P "testing" objectClass.bdb > > db_verify: Invalid password > > Segmentation fault > > > > testing is set in slapd.conf via "cryptfile" and has the word > "testing" in it: > > How did you create the file? If you simply created it as a plain text > file, > then it probably has a trailing NewLine as well. In which case, the > NewLine is > part of the password... Checked this and recreated vi vim and just: echo testing > cryptfile. All results in the same invalid password and segfault. Cheers. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

2 1

OpenLDAP replication
by Justin Lintz 09 Dec '08

09 Dec '08

Hi, I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup.... 2 servers, ldap01 and ldap02, both running centos 5.2 x86_64 with openldap2.4 installed from http://staff.telkomsa.net/packages/rhel5/openldap/x86_64/ openldap2.4-servers-2.4.11-1.rhel5 my slapd.conf on ldap01 is: modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200 slapd.conf on ldap02 is": directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials= This appears to work but it seems after some time the replication stops working , not seeing anything in the logs either. Also with this setup, given a situation where ldap01 died and ldap02 took over, when I brought ldap01 back online, would configuration changes need to be made to ensure any changes that were made to ldap02 were replicated back properly or am I not using the proper replication technique for this situation? I'm still a bit new to OpenLDAP so I apologize if I explained anything incorrrectly. My end goal is to have 2 ldap servers in place where in the event of a failure the secondary could take over and when the primary is restored, have it fail back over without any loss of changes. - Justin Lintz

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2008