ldap_add: Server is unwilling to perform (53) error:
by vinodh kumar
hello all,
we are trying to setup a ldap server which uses the mysql as back-end
instead of bdb backend.we have installed slapd and ldap-utils
in debian-etch .we also have installed mylibodbc,
mysql-client-5,mysql-server-5. we have established the mysql-ODBC
connectivity and tested the connectivity using
isql.we have configured the slapd.conf file to connect mysql and when we
tried to add entries using ldapadd , we get the following err
ldap_add: Server is unwilling to perform (53)
additional info: operation not permitted within namingContext
this is the slapd.conf
file
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#############################
Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_sql
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
##############################
>
> #########################################
> # Specific Backend Directives for bdb:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend sql
> checkpoint 512 30
>
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend <other>
>
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database sql
> suffix "dc=example,dc=org"
> rootdn "cn=admin,dc=example,dc=org"
> rootpw ldap
> dbname ldap
> dbuser new
> dbpasswd new
> #insentry_query "insert into ldap_entries (id,dn,oc_map_id,parent,keyval)
> values ((select max(id)+1 from ldap_entries),?,?,?,?)"
> #upper_func "upper"
> #strcast_func "text"
> #concat_pattern "?||?"
> #has_ldapinfo_dn_ru no
> #schemacheck on
>
> lastmod off
>
>
> # The base of your directory in database #1
> suffix "dc=example,dc=org"
>
> # rootdn directive for specifying a superuser on the database. This is
> needed
> # for syncrepl.
> rootdn "cn=admin,dc=example,dc=org"
> rootpw secret
> # Where the database file are physically stored for database #1
> directory "/var/lib/ldap"
>
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
>
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
>
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
>
> # Indexing options for database #1
> index objectClass eq
> cn,sn,ou
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Where to store the replica logs for database #1
> # replogfile /var/lib/ldap/replog
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attrs=userPassword,shadowLastChange
> by dn="cn=admin,dc=example,dc=org" write
> by anonymous auth
> by self write
> by * none
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=example,dc=org" write
> by * none
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> # by dn="cn=admin,dc=example,dc=org" write
> # by dnattr=owner write
>
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be bdb too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database <other>
>
> # The base of your directory for database #2
> #suffix "dc=debian,dc=org"
>
--
regards
vinodh
i blog @ http://vinsvision.wordpress.com
15 years, 6 months
LDAP Writes are not propagated to mirror nodes.
by K C, Sachin (Sachin)
Hello All,
I am trying to setup Mirror Mode of replication. Using the
configuration files listed below for 2 node setup. The database comes up
and after every 2 or 3 writes, the data is not pushed onto the other
mirror node. This is happening on both the mirror nodes.
I am getting the following error:
slap_client_connect: URI=ldap://135.254.229.102:389
DN="uid=<UID>,o=csosso_arc" ldap_sasl_bind_s failed (-1)
slap_client_connect: URI=ldap://135.254.229.102:389
DN="uid=<UID>,o=csosso" ldap_sasl_bind_s failed (-1)
This is happening after 2 or 3 write operations to the database.
The slapd.conf on node 1 is:
=================================
database bdb
suffix "o=CSOSSO"
directory /opt/cso/ldap/db
rootdn "uid=<UID>,o=CSOSSO"
rootpw <PWD>
# cleartext passwords, especially for the rootdn, should
# be avoid. See slapd.conf(5) for details.
cachesize 10000
index cn pres,eq,sub
index sn pres,eq,sub
index givenName pres,eq,sub
index uid eq
index objectclass,entryCSN,entryUUID eq
include /opt/cso/ldap/replica/135.254.229.102-390
database bdb
suffix "o=CSOSSO_ARC"
directory /opt/cso/ldap/db_arc
rootdn "uid=<UID>,o=CSOSSO_ARC"
rootpw <PWD>
# cleartext passwords, especially for the rootdn, should
# be avoid. See slapd.conf(5) for details.
cachesize 10000
index cn pres,eq,sub
index sn pres,eq,sub
index givenName pres,eq,sub
index uid eq
index objectclass,entryCSN,entryUUID eq
include /opt/cso/ldap/replica/135.254.229.102-390-arc
=========================================
The syncrepl configuration on node 1 is:
=========================================
syncrepl rid=1
provider=ldap://135.254.229.102:389
type=refreshAndPersist
interval=00:00:01:00
retry="30 +"
searchbase="ou=people,o=csosso"
filter="(objectclass=*)"
scope=sub
attrs="*,+"
sizelimit="unlimited"
timelimit="unlimited"
schemachecking=off
bindmethod=simple
binddn="uid=<UID>,o=CSOSSO"
credentials=<PWD>
mirrormode on
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
=======================================
Same configuration files are used on node 2 except the port numbers and
the serverID.
Thanks
Sachin
15 years, 6 months
ldap group name resolving problem
by Christian Weihrauch
Hi,
I have problems with debian etch Linux clients resolving group names
served by our LDAP server. user and passwd work because I can login
properly.
"getent group" properly shows the group served by the LDAP server.
eg: #getent group
mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names.
eg: #id chris
uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup
directoryname" gives:
"chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says:
passwd: files ldap
group: files ldap
shadow: files ldap
Any ideas?
Thanks!
--
Christian Weihrauch,
The University of Reading
15 years, 6 months
Help with SASL/GSSAPI to remote Kerberos server
by Wes Modes
I am using *SASL/GSSAPI* to authenticate to* Kerberos* from *OpenLDAP*.
I haven't gotten that to work yet.
To separate and modularize some of these services, we have three
servers: A file server running Samba; A directory server running
OpenLDAP to provide personal and group identities; and an authentication
server running Kerberos (administered by another group). Samba connects
to OpenLDAP through smbldap-tools. And OpenLDAP connects to the
Kerberos server via SASL/GSSAPI.
When someone requests a Samba logon, Samba requests an LDAP bind, which
in turn should use SASL to authenticate via Kerberos.
The connection between Samba and OpenLDAP is working swell. It is the
Kerberos connection that has me flummoxed.
*Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on
one server, while the Kerberos KDC will be running on another server.*
I haven't found any documents that address this not-so-wacky design.
Almost all of the docs I found presume that I am setting up the KDC on
the same server at OpenLDAP. In my case, the KDC is administered by
another group who is willing to grant me access to Kerberos. However,
none of the docs I've found offer help in setting up SASL/GSSAPI here
and the Kerberos server elsewhere.
So when a document says, run /kadmin.local/, to generate a principle,
that is not available to me. If I can ask specifically for what I want,
I might be able to convince the kerberos administrators to do it for me,
but I have to be pretty specific about what I want.
The docs I'm referring to are
Cyrus SASL for System Administrators
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
<http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html>
OpenLDAP 2.2 Administrator's Guide - Using SASL
http://www.openldap.org/doc/admin22/guide.html#Using%20SASL
In several documents, it was suggested that before you try connecting
OpenLDAP to Kerberos that you test to make sure your Kerberos
configuration is working. That makes a lot of sense to me. So I want
to perform a series of checks, but I don't know what those tests might
be. Here's what I would like to test:
* Can I connect to the Kerberos server directly? (kinit)
* Is direct authentication to the Kerberos server working?
* Am I getting returned a proper ticket? (klist)
* Is the keytab file on my OpenLDAP server being recognized and
accepted by the Kerberos server?
* Is my machine being authenticated as a principle? Does it need to be?
* How do I test SASL2 before getting OpenLDAP involved?
* After making changes to my OpenLDAP config, how do I test the
Kerberos connection through OpenLDAP?
Do you have any pointers here?
This project has been delayed weeks and weeks while I climb and climb up
Samba, OpenLDAP, and Kerberos' very steep learning curve. So your
prompt response will be hugely helpful.
Thanks in advance,
Wes
Specifics of my configuration:
* OS: Red Hat Enterprise 4 v2.6.9
* OpenLDAP v2.2.13
* Local MIT Kerberos5 v1.3.4
* KDC: MIT Kerberos5 v?
* Cyrus SASL v2.1.19
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
15 years, 6 months
Missing Syntax
by Nik Svoboda
I have noticed that in the openldap system I am using, the schema has
a missing syntax. This syntax is "1.3.6.1.4.1.1466.115.121.1.58" ;
"Substring Assertion". This is referenced in matching types using
partial matching of strings (exactsubstringsmatch,
numericStringSubstringsMatch, ...). I am fairly new to these subjects
and do not understand fully how they operate.
Is there a way to correct this? Are the syntaxes and matching types
specified in a way that can be modified dynamically?
-Nikkos
15 years, 6 months
ldapsearch hangs Intermittently
by Kumar, Manish
I am encountering an issue on ldapsearch periodically "hangs". One out
of 100 times it work fine but sometime it hangs. My ldapsearch version
is ldapsearch 2.2.13 (Aug 18 2005 22:24:20). When I run it in debug mode
it waits in ldap_int_select() function.
end of trace is
ldap_chkResponseList for msgid=-1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid -1, all 1
ber_get_next
ber_get_next: tag 0x30 len 305 contents:
ldap_read: message type search-entry msgid 2, original id 2
adding response id 2 type 100:
wait4msg continue, msgid -1, all 1
** Connections:
* host: 209.236.241.6 port: 20001 (default)
refcnt: 2 status: Connected
last used: Thu Feb 28 15:11:52 2008
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
* msgid 2, type 100
chained responses:
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
* msgid 2, type 100
ldap_chkResponseList for msgid=-1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
Please help me regarding this issue.
Regards
Manish
15 years, 6 months
RWM overlay bind operation
by Rui Ramos
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello *,
I'm having some troubles with the rwm overlay maybe someone can give
some ligths on the subject.
We have a non standard schema which in turn has an atribute pass1 that
we want to use for the LDAP BIND operation.
From what i've seen the BIND operation is hardcoded to use userPAssword
attribute (please correct me if i'm wrong).
So what we did was the following:
we have server A with pass2 filled running on port 7001.
and server B with the following config
...
database ldap
suffix "dc=example,dc=org"
uri "ldap://localhost:7001"
overlay rwm
rwm-map attribute userPassword pass2
...
With this configuration the attribute userPassword gets filled with the
content of pass2.
But if we try to make Bind search in server B with that user password it
fails because it tries to make the bind in ldap://localhost:7001.
Is there a way to make the bind operation the the changed data ?
Best Regards, Rui Ramos
- --
Rui Ramos
==============================================
Universidade do Porto - IRICUP
Praça Gomes Teixeira, 4099-002 Porto, Portugal
email: rramos[at]reit.up.pt
phone: +351 22 040 8164
==============================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBR8aDvL1uR0bdnTWSAQIuhQgAw5rF8zSs0MapMSUMsb96j0PiUV2TdQ9V
GTyB6RTeAJmNqh6/bvEoUO3m8a1UaNffQzYpj03S7y4moVVz4r8+bJQ4Xs0eM8C0
PSU1SXisJbVTcqbEoccma6Yllnd2ZYke8zo/kF/4EPycFxGVj36N+krEB7L/ouO8
jx+Mg6KhteqdxX4Pwz+WyG5g1jhxw4/RKiZC5BaWtP5Cv6pz810DZv9W9C9B0/tJ
BYuiWWl3ntzI50Vgm3dmdBt3yUBvngfk/e6RIyRA0rDxpu9uslzCm3Q1acU72tOH
Rj32AHuciyf6697rvZE/XQHao09AUhOrZliY/lmpLNc0LHKjDkvDCA==
=uBz4
-----END PGP SIGNATURE-----
15 years, 6 months
ldapsearch returns Could not create LDAP session handle (3): Time limit exceeded
by Brooks Campbell
We upgraded some client servers from RedHat ES3U4 to Redhat ES4U2 and now
the ldapsearch string we used in our monitoring software to check if the
customers openldap server is working is returning errors.
We were using:
ldapsearch -x -H ladps://host.domain.com:636
Which worked find with the open ldap-client on redhat 3 (I do not no the
version number) but in redhat 4 openldap-clients 2.2.13-3 we get the error
"Could not create LDAP session handle (3): Time limit exceeded" immediately.
Ldap is working our application authenticates users it is just the
ldapsearch we are using to monitor the service which seems to not be
working.
Does anyone see anything wrong with the line above or is there something
else we can use in a automated script to check if the ldap server is
running?
Brooks Campbell
IT Manager, Waterloo CA and Hersham UK
Navtech Systems Support Inc.
295 Hagey Blvd
Suite 200
Waterloo, ON, N2L 6R5
W:519-747-1170 xt263
brooks(a)navtechinc.com
15 years, 6 months
integrating LDAP onto EPrints and Dspace
by divya shree
Hi
I am doin a project..where in i hav to integrate LDAP on to Eprints n DSpace..for providin a single user authentication to the users of Eprints n DSapce...
For this i am trying to install OpenLdap-2.4.7..software..i would like to knw if i am on the ryt track and also would like to knw the diff between openldap n ldap..if there is any...
Thanks and Regards
Divya
---------------------------------
Forgot the famous last words? Access your message archive online. Click here.
15 years, 6 months
OpenLDAP question
by Keith Conger
Hi,
I was wondering if the following is possible with OpenLDAP:
I'd like to have an OpenLDAP Server or two(load balanced) with an
extended custom schema that will proxy certain attributes back to a
non-openldap ldap server.
Reading through the list archives it seems like it may be possible but
does anyone know for sure from experience?
Keith
--
Keith Conger
Server Systems Administrator
Onondaga Community College
4585 West Seneca Turnpike
Syracuse, N.Y. 13215-4585
Email/JID: congerk(a)sunyocc.edu
http://www.sunyocc.edu/~congerk/
15 years, 6 months
