openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

LDAP Master/Slave replication
by asiani＠free.fr 05 Feb '08

05 Feb '08

The log : Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at: "syncreplCookie" Feb 5 13:11:37 dev5 slapd[2523]: bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com") Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" ) Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry: "cn=syncrepl123,dc=myDomain,dc=com" Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2 thanks for you help ! Alain Hello, I use the bottom file "slapd.conf" to mirror master server. It was ok with 2.2.23-5 version of openldap. I just installed a new version of openldap : 2.3.27-8 Now the slave server start ok... but slapcat is empty !!?? Do you have an idea ? Thanks a lot, Alain slapd.conf _________ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 256 database bdb suffix "dc=myDomain,dc=com" rootdn "cn=Manager,dc=myDomain,dc=com" rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT directory /var/lib/ldap/myDomain.com index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq access to * by * read syncrepl rid=123 provider=ldap://10.0.0.242:389 type=refreshOnly interval=00:00:01:00 searchbase="dc=myDomain,dc=com" filter="(objectclass=*)" attrs="*" scope=sub bindmethod=simple binddn="cn=Manager,dc=myDomain,dc=com" credentials="myPassword"

1 0

LDAP Master/Slave replication
by asiani＠free.fr 05 Feb '08

05 Feb '08

Hello, I use the bottom file "slapd.conf" to mirror master server. It was ok with 2.2.23-5 version of openldap. I just installed a new version of openldap : 2.3.27-8 Now the slave server start ok... but slapcat is empty !!?? Do you have an idea ? Thanks a lot, Alain slapd.conf _________ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 256 database bdb suffix "dc=myDomain,dc=com" rootdn "cn=Manager,dc=myDomain,dc=com" rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT directory /var/lib/ldap/myDomain.com index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq access to * by * read syncrepl rid=123 provider=ldap://10.0.0.242:389 type=refreshOnly interval=00:00:01:00 searchbase="dc=myDomain,dc=com" filter="(objectclass=*)" attrs="*" scope=sub bindmethod=simple binddn="cn=Manager,dc=myDomain,dc=com" credentials="myPassword"

1 0

Exporting LDAP info from Active Directory / Exchange Global Address List
by Clemson, Chris (IHG) 04 Feb '08

04 Feb '08

Hi everyone, Hopefully I'm now sending this to the right list, apologies if not.... I am trying to find a way of exporting most information from the GAL into an LDAP server. It seems that OpenLDAP might do what I want, however I'm relatively new to using LDAP, so I was wondering if someone could give me a few pointers on how to do this. It sounds like I need to use a slapd as a Proxy Cache Engine, so I can cache an AD query (preferably the equivalent of the Exchange GAL) into OpenLDAP. People can then use the OpenLDAP server as a Directory source in Outlook without needing to log in to anything. I need to do something like this so that people who do not have access to the Exchange Servers can see (and therefore email) accounts in Exchange. I have found some mailing list articles that allude to this, but nothing specific. Thank you, Chris

2 2

Getent fonction with ldap
by asiani＠free.fr 04 Feb '08

04 Feb '08

Hello, I'm looking for a documentation of "howto configure getent with ldap", can you help me, i have problem with this fonction on centos 4.4 i can't get entries from ldap but i try to configure : /etc/pam.d/system-auth /etc/ldap.conf slapcat is ok i do : smbpasswd -w mypassword i put my conf at the bottom of this email, thanks for your help ! Alain /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. # Modif by AS auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so account sufficient /lib/security/$ISA/pam_ldap.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so password sufficient /lib/security/$ISA/pam_ldap.so use_authtok session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so /etc/ldap.conf host 127.0.0.1 #host 10.0.0.245 base dc=myDomain,dc=com rootbinddn cn=Manager,dc=myDomain,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5

2 3

password-hashing scheme
by Vinh.CTR.Hoang＠faa.gov 02 Feb '08

02 Feb '08

Hi, I'm have trouble trying to get a ldap client be authenicated by the the ldap server. I think the problem is that I might have the hash scheme configured wrongly or something like that. I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf and password-hash as {MD5} in slapd.conf. Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list? If it is not the case, then how should I configure the client and server to be the case? Thanks, Vinh

4 5

Best method to set access permissions to third parties application with LDAP
by Benjamin Watine 01 Feb '08

01 Feb '08

Hello the list, I have to use LDAP to define access permissions for many third parties applications. So, I wonder what is the best way to organize my LDAP tree. I see two possibilities : - Set a LDAP group for each access level of each application, and create users that belongs to those groups. ex : GlobalServiceGroup | |__Application1Group | |__guestGroup | | |__user1 | | |__user2 | |__userGroup | | |__user3 | | |__user4 | |__adminGroup | |__Application2Group |__devTeamGroup | |__user1 | |__user2 | |__user3 | |__user4 |__testTeamGroup |__adminTeamGroup The problem of this solution is that I have to set a lot of groups, so my LDAP tree would became very complex to administrate. - Another way would be to define my own LDAP classes, with an attribute for each application that define the access level (guest, user, admin, etc). The problem of this solution is that I'm not anymore in the standard LDAP schema, and loose interoperability with standards LDAP clients. What is the best way to set that. Is there is another possibility than the two I mentioned before ? Thank you ! Ben

3 2

Re: Export / import ldap database between 2.2.29 & 2.3.27
by asiani＠free.fr 01 Feb '08

01 Feb '08

Ok thanks a lot !!!!! It is working now ! thks, Alain Buchan Milne wrote: > On Friday 01 February 2008 13:59:11 asiani(a)free.fr wrote: > >> # tail -n106 fichier_slapcat.ldif|head -n30 >> > > Now run this on both the old and the new server: > > # grep ^include /etc/openldap/slapd.conf > > It looks like your new server is missing inetorgperson.schema, and probably > many more. You should add the missing include lines to slapd.conf on your new > server, and try import again. > > Regards, > Buchan > >

1 0

Export / import ldap database between 2.2.29 & 2.3.27
by asiani＠free.fr 01 Feb '08

01 Feb '08

Hello, My source server : openldap-clients-2.2.29-1.FC3 perl-Net-LDAP-0.3202-1.1.fc3.rf nss_ldap-220-3 openldap-devel-2.2.29-1.FC3 php-ldap-4.3.11-2.8.4.legacy smbldap-tools-0.9.1-1.1.fc3.rf openldap-2.2.29-1.FC3 openldap-servers-2.2.29-1.FC3 My destination server : openldap-2.3.27-8 openldap-devel-2.3.27-8 perl-LDAP-0.33-3.fc6 php-ldap-5.1.6-15.el5 python-ldap-2.2.0-2.1 nss_ldap-253-5.el5 openldap-servers-2.3.27-8 I export my database from source : ldapsearch -LLL -x -h localhost -D "cn=Manager,dc=myDomain,dc=com" -w password -b "dc=myDomain,dc=com" > /backups/ldap/ldap-fs4-$TODAY.ldif dn: dc=myDomain,dc=com objectClass: dcObject objectClass: organization o: myDomain dc: myDomain dn: ou=Users,dc=myDomain,dc=com objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=myDomain,dc=com objectClass: organizationalUnit ou: Groups dn: ou=Computers,dc=myDomain,dc=com objectClass: organizationalUnit ou: Computers dn: cn=NextFreeUnixId,dc=myDomain,dc=com objectClass: inetOrgPerson objectClass: sambaUnixIdPool cn: NextFreeUnixId sn: NextFreeUnixId gidNumber: 1001 uidNumber: 1154 dn: uid=smbguest3,ou=Users,dc=myDomain,dc=com objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount (...) and try to add in my destination server : slapadd -l fichier.ldif The system failed with this error : str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=69) The database is working well on source server...do y have an idea ? Thank you very much ! Alain

3 3

Pagination behavior using ldap_ctrl_paged
by Faraz R. Khan 01 Feb '08

01 Feb '08

Hi, Is there anyway I can navigate back and forth using the paged results control? The only thing I can currently use is going forward a certain pageSize. I realize this is exactly as per the RFC (2696) but is there anyway I can achieve back and forth pagination (pageSize = -3 for example)? Thank you. -- Faraz R Khan Chief Architect Emergen Consulting Pvt Ltd www.emergen.biz

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008