openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

Fwd: Ldap ppolicy schema entries
by Aravind Arjunan 08 Feb '08

08 Feb '08

---------- Forwarded message ---------- From: Aravind Arjunan <aravind.arjunan(a)gmail.com> Date: 9 Feb 2008 11:19 Subject: Re: Ldap ppolicy schema entries To: Buchan Milne <bgmilne(a)staff.telkomsa.net> Am trying to confiure the ldap in master-slave It was mentioned in the document that after configuring the master and slave slapd.conf file for replication, shutdown the master slapd,so you can copy the database. I cant understand in this part,how to copy the database. where to copy?tell me how to check that my slave slapd is working? wheather by giving ldapsearch command in slave instance or by any other. am attaching the master and slave conf file for reference,please mention me if there is any mistake.

1 0

tips in ldappasswd
by Gustavo Mendes de Carvalho 08 Feb '08

08 Feb '08

Hi there, I have an OpenLDAP Server authenticating with TLSv1, but I ´foound some probelms when I have to change my ldap user´s password. I use the following command to try to change it [ming@ldap-cli ~]$ ldappasswd -AS -ZZ -H ldaps://ldap.server/ -D uid=ming,ou=org-unit,o=org,c=br Old password: Re-enter old password: New password: Re-enter new password: ldap_start_tls: Operations error (1) additional info: TLS already started [ming@ldap-cli ~]$ ldappasswd -AS -H ldaps://ldap.server/ -D uid=ming,ou=org-unit,o=org,c=br Old password: Re-enter old password: New password: Re-enter new password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) I store only password's hashes in my ldap database, so I need to know how to replace this hash. If I connect to my ldap server using some ldap browser, like ldapadmin, I can change my user´s password, but I need to change it using some command line, like ldappasswd. Do you have some examples about how to use ldappasswd ? I already search it in Google, but all expamples that I found tells me that to use same command that I'm already using. Thanks iin advance --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com

3 5

2.3.39 vs 2.3.40 (as Re: (ITS#5354) slapd repeatedly hangs and stops reponding)
by Buchan Milne 08 Feb '08

08 Feb '08

On Friday 08 February 2008 03:35:54 quanah(a)zimbra.com wrote: > --On Thursday, February 07, 2008 8:13 PM -0500 Oren Laadan > > <orenl(a)cs.columbia.edu> wrote: > > will fix the symbols now. thanks. > > > > as for the patch, it seems unrelated as it fixes a problem during the > > start-up of the daemon; also, it's for 2.4.7, and I just downgraded > > back to 2.4.49 (which I was using originally). the decision to move > > up was because I hoped that the problem would disappear when using a > > more recent version of openldap. as it turns out, it didn't :( > > There's no such thing as 2.4.49. I assume you mean 2.3.40? Or 2.3.39? I > would use 2.3.40 over 2.3.39 Quoting Howard: "While ITS#5342 is still being investigated, I would recommend that everyone use 2.3.39 and not 2.3.40. Sorry for the trouble." ITS#5342 is still open, and while the last two followups seem to indicate that the corruption was not the fault of 2.3.40 ... I'm planning an upgrade for this weekend (from 2.3.34 for one set of servers, and from 2.3.11 for another), and thus far I'm hoping to run with 2.3.39 with most fixes in 2.3.40 (plus #5358's fix), but not the dn2id lock fix ... Maybe I should make provision for an export/import during my upgrade? Regards, Buchan

3 3

Re: Ldap ppolicy schema entries
by Ljunghammar, Darryl K 08 Feb '08

08 Feb '08

Hi Tonni, Could you give me an example of what you meant by putting a + at the end of the ldapsearch command? When I tried putting a plus at the end it didn't give me any found results so I must be doing something wrong with the syntax. I used: [root@alph bin]# ldapsearch -x -H ldaps://alph/ -D "cn=Manager,dc=dst,dc=boeing,dc=com" -W -b "ou=people,dc=dst,dc=boeing,dc=com" "(uid=darryl+)" Enter LDAP Password: xxxxxx # extended LDIF # # LDAPv3 # base <ou=people,dc=dst,dc=boeing,dc=com> with scope sub # filter: (uid=darryl+) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 But if I leave off the + I do get the user fields so I know it has data. Thanks, Darryl ________________________________________________________________________ ___________ Ljunghammar, Darryl K skrev, on 23-01-2008 21:56: I would like to view the ppolicy schema attributes for a user when I do a "ldapsearch" but they don't show up. For example, I would like to see the "pwdHistory" attribute for a user. I know it is being updated because if I enter a previously used password it tells me it can't be reused. I am using openldap 2.3.39-3 on a Redhat 5.1 system. Put a '+' at the end of your ldapsearch string and you'll see only the operational attributes, *if* your ACLs permit this. You will not see empty attributes, only those with values. Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl

2 1

Openldap and last logon
by Ljunghammar, Darryl K 08 Feb '08

08 Feb '08

Hi, I there a way to record the last logon and hostname into a user's record in openldap? I am using openldap 2.3.27-8 on a Rh5.1 system. Thanks, Darryl

1 0

Trouble Installing LDAP Client On Ubuntu Linux
by Ldap Newbie 08 Feb '08

08 Feb '08

Hi, I have some trouble with the installation of the LDAP client on Ubuntu Linux. I followed the instructions as described the articles below. 1. <http://www.linux.com/feature/114074> 2. <http://mcwhirter.com.au/node/25> Although I followed the steps in the article my Ubuntu keeps running exactly as before, authenticating without using LDAP. Problem is that I don't have a clue what's happening. So any suggestions on what files to check or what commands to run to test things are appreciated. What I do know about this configuration problem is: * The LDAP server is up and running, it's usable from another application * I don't see any incoming traces when I run slapd in full debug mode and try some actions like rebooting or getent passwd from the client * The getent passwd <username> test as described in article .2 fails So likely something went wrong with the configuration of $ apt-get install libpam-ldap libnss-ldap Is there a way I can rerun the installer so that I can verify the configuration data I entered. What other things should I try ? All suggestions apprectiated. Thanks, Carl _________________________________________________________________ Who's friends with who and co-starred in what? http://www.searchgamesbox.com/celebrityseparation.shtml

3 2

openldap - missing modules - how / where to find them
by Charlie Reddington 06 Feb '08

06 Feb '08

Hi Everyone, I'm working on setting up openldap on a few of my linux servers. I was working on setting up the slapd.conf file, and I ran the slaptest against it. I was returned with this. 1t_dlopenext failed: (back_bdb) back_bdb.so: cannont open shared object file: no file or directory found. Okay, simple enough, I'm trying to use the bdb backend, so I need the module that is called in my file back_bdb.so. I did a search on the system and that is not found. I installed the openldap stuff via yum. I installed the following. openldap openldap-servers openldap-cleints openldap-devel I've reinstalled, I've searched for just the backend module itself, all coming up empty handed. Can someone point me to what I'm doing wrong to get these files? Charlie

2 1

Timeouts over LDAPS
by Martin Sandsmark 05 Feb '08

05 Feb '08

Hi! I'm having some trouble with time-outs when using ldaps with pam. If the slapd opens an incoming ssl connection, but do not respond correctly (like if the Berkley database breaks down, which unfortunately seems to happen from time to time), the ldap-pam-module will hang more or less indefinitely. This is rather unfortunate, since it makes logging in and repairing the database much more tedious. If we use just plain ldap (not using openssl), the connection times out rather quickly, and pam tries the next authentication method which works as expected, and the problem can be fixed. But unfortunately that also opens up some security risks, since we can't be sure we connect to the proper ldap server. -- Martin Sandsmark IT-Komiteen, Samfundet "Capital letters were always the best way of dealing with things you didn't have a good answer to." - Douglas Adams

3 2

LDAP Master/Slave replication
by Alain Siani 05 Feb '08

05 Feb '08

Hello, Do you think the version of ldap must be equal ? I use openldap-2.3.27-8 on server and openldap-2.2.23-5 on client. Do you think it is syncrepl compatible ? thanks, Alain I don't found the solution... do you know a french document for installation of "syncrpl" ? I tried english documentation : http://www.openldap.org/doc/admin22/syncrepl.html but no success... thanks, Alain The log : Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at: "syncreplCookie" Feb 5 13:11:37 dev5 slapd[2523]: bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com") Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" ) Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2 thanks for you help ! Alain Hello, I use the bottom file "slapd.conf" to mirror master server. It was ok with 2.2.23-5 version of openldap. I just installed a new version of openldap : 2.3.27-8 Now the slave server start ok... but slapcat is empty !!?? Do you have an idea ? Thanks a lot, Alain slapd.conf _________ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 256 database bdb suffix "dc=myDomain,dc=com" rootdn "cn=Manager,dc=myDomain,dc=com" rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT directory /var/lib/ldap/myDomain.com index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq access to * by * read syncrepl rid=123 provider=ldap://10.0.0.242:389 type=refreshOnly interval=00:00:01:00 searchbase="dc=myDomain,dc=com" filter="(objectclass=*)" attrs="*" scope=sub bindmethod=simple binddn="cn=Manager,dc=myDomain,dc=com" credentials="myPassword" --- Antivirus avast! : message Entrant sain. Base de donnees virale (VPS) : 080204-0, 04/02/2008 Analyse le : 05/02/2008 19:55:34 avast! - copyright (c) 1988-2008 ALWIL Software. http://www.avast.com --- Antivirus avast! : message Sortant sain. Base de donnees virale (VPS) : 080204-0, 04/02/2008 Analyse le : 05/02/2008 20:03:01 avast! - copyright (c) 1988-2008 ALWIL Software. http://www.avast.com

2 1

LDAP Master/Slave replication
by asiani＠free.fr 05 Feb '08

05 Feb '08

I don't found the solution... do you know a french document for installation of "syncrpl" ? I tried english documentation : http://www.openldap.org/doc/admin22/syncrepl.html but no success... thanks, Alain The log : Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at: "syncreplCookie" Feb 5 13:11:37 dev5 slapd[2523]: bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com") Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" ) Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2 thanks for you help ! Alain Hello, I use the bottom file "slapd.conf" to mirror master server. It was ok with 2.2.23-5 version of openldap. I just installed a new version of openldap : 2.3.27-8 Now the slave server start ok... but slapcat is empty !!?? Do you have an idea ? Thanks a lot, Alain slapd.conf _________ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 256 database bdb suffix "dc=myDomain,dc=com" rootdn "cn=Manager,dc=myDomain,dc=com" rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT directory /var/lib/ldap/myDomain.com index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq access to * by * read syncrepl rid=123 provider=ldap://10.0.0.242:389 type=refreshOnly interval=00:00:01:00 searchbase="dc=myDomain,dc=com" filter="(objectclass=*)" attrs="*" scope=sub bindmethod=simple binddn="cn=Manager,dc=myDomain,dc=com" credentials="myPassword"

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008