RE: Compiling openldap-2.4.8 on cygwin
by Gavin Henry
> Thanks for the reply.
> Anyone know of a decent dummies guide to compiling mingw exes?
> I've never done this before.
> Thanks,
>
> Chris
>
>
IIRC, it's the same as normal on *unix, that's the point:
/configure --blah
make depend
make
make test
12 years, 11 months
OpenLDAP Updating Schema Definition
by Jimmy Liang
I've read that OpenLDAP supports runtime schema modifications but I can't
figure out the extensiveness of this feature. On Sun's page (
http://java.sun.com/products/jndi/tutorial/ldap/schema/object.html under the
header "Adding a New Object Class") it's telling me that OpenLDAP does not
support this kind of modification. When I try the code on that page, I run
into
Exception in thread "main"
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21
- objectClasses: value #0 invalid per syntax]; remaining name ''
And in the syslog I noticed this
Apr 24 15:38:14 localhost slapd[6532]: daemon: read activity on 12
Apr 24 15:38:14 localhost slapd[6532]: connection_get(12)
Apr 24 15:38:14 localhost slapd[6532]: connection_get(12): got connid=14
Apr 24 15:38:14 localhost slapd[6532]: connection_read(12): checking for
input on id=14
Apr 24 15:38:14 localhost slapd[6540]: do_modify
Apr 24 15:38:14 localhost slapd[6540]: do_modify: dn (cn=Subschema)
Apr 24 15:38:14 localhost slapd[6540]: => get_ctrls
Apr 24 15:38:14 localhost slapd[6540]: => get_ctrls:
oid="2.16.840.1.113730.3.4.2" (noncritical)
Apr 24 15:38:14 localhost slapd[6532]: ber_get_next on fd 12 failed errno=11
(Resource temporarily unavailable)
Apr 24 15:38:14 localhost slapd[6540]: <= get_ctrls: n=1 rc=0 err=""
Apr 24 15:38:14 localhost slapd[6540]: >>> dnPrettyNormal: <cn=Subschema>
Apr 24 15:38:14 localhost slapd[6540]: <<< dnPrettyNormal: <cn=Subschema>,
<cn=subschema>
Apr 24 15:38:14 localhost slapd[6540]: send_ldap_result: conn=14 op=3 p=3
Apr 24 15:38:14 localhost slapd[6540]: send_ldap_result: err=21 matched=""
text="objectClasses: value #0 invalid per syntax"
Apr 24 15:38:14 localhost slapd[6540]: send_ldap_response: msgid=4 tag=103
err=21
Apr 24 15:38:14 localhost slapd[6540]: conn=14 op=3 RESULT tag=103 err=21
text=objectClasses: value #0 invalid per syntax
Apr 24 15:38:14 localhost slapd[6532]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 24 15:38:14 localhost slapd[6532]: daemon: activity on 1 descriptor
Apr 24 15:38:14 localhost slapd[6532]: daemon: activity on:
Apr 24 15:38:14 localhost slapd[6532]: 13r
Does OpenLDAP allow programmic (hopefully but necessarily Java) schema
changes at runtime?
12 years, 11 months
bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
by Srinidhi Sharma
Hi,
I am using open ldap 2.4.8 with berkeley db 4.6.21
The installation of the open ldap went through successfully. But I have the
following problem.
1. When tried accessing the dc=example,dc=com through ldapsearch it fails
with no such object.
ldapsearch -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w
secret -b 'dc=example,dc=com' -s sub 'objectclass=*'
ldap_search: No such object
Following the error msgs from slapd
==========================
=> bdb_search
bdb_dn2entry("dc=example,dc=com")
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30989)
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=32
ber_flush2: 14 bytes to sd 11
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e...
....
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e...
....
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00
0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=2 op=2 do_unbind
connection_closing: readying conn=2 sd=11 for close
connection_resched: attempting closing conn=2 sd=11
contents of slapd.conf are
===================
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory
<myhost-dir>/openldap/install/openldap-2.4.8/var/openldap-data
# Indices to maintain
index objectClass eq
However, when I try ldapbind to the open ldap it works fine..
ldapbind -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w
secret
And also , base search goes through fine.
ldapsearch -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w
secret -b '' -s base 'objectclass=*'
How do I get around this error !!!, is there any configuration mismatch ???
The slapd is running as a normal unix user and not as a "ldap "user.
Command used to run the slapd is:
./slapd -h ldap://my-openldap-host:9011 -f ../etc/openldap/slapd.conf -d3
Please help
--
Thanks,
Srinidhi
12 years, 11 months
OpenLDAP: slave is not being updated by master and replog is empty
by brad davison
I am working in a test environment to construct a SAMBA / LDAP domain for windows clients. There is a PDC with OpenLDAP server 2.3.35 and SAMBA 3.026 running on ubuntu server 7.10.
The PDC is functioning; I am able to create users and login with them, as well as join workstations to the domain. The slave slapd was populated with an output from an ldif file that was exported from the master via:
slapcat -l >> master.ldif
I had entered the 'replica' line in the master-slapd, and the updatedn and updateref lines in the slave-slapd as stated in 14.4 in the OpenLDAP 2.3 admin's guide. The 'openldap' user has rights to the replog file.
Problem 1) The master (dc01-ubuntu.example.local) is not updating the replog file with either a success or failure.
Problem 2) The slave (bdc01-ubuntu.example.local) is not getting updates from the master when changes occur.
I am relatively new to LDAP and I might be missing something core. I have the OpenLDAP admin guide printed out and I am referring to it, but I believe I had entered the lines as the book instructed.
Attached are my master-slapd.conf and slave-slapd.conf files. Again, this is a test environment for now. I understand the current setup is not secure. What I would like to achieve is a working PDC -> BDC replication.
When I start slapd on the master i get:Starting OpenLDAP: slapd slurpd.
with no errors.
When I start slapd on the slave I get : Starting OpenLDAP: slapd
with no errors.
master-slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=example,dc=local"
rootdn "cn=admin,dc=example,dc=local"
rootpw 12345
replica uri=ldap://bdc01-ubuntu.example.local:389
binddn="cn=admin,dc=example,dc=local"
credentials=12345
bindmethod=simple
tls=no
replogfile /var/log/replog.bdc01-ubuntu.example.local
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=local" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=example,dc=local" write
by * read
-------------------------
slave slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
operation
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
### slurpd
updatedn "cn=admin,dc=example,dc=local"
updateref ldap://dc01-ubuntu.example.local
suffix dc=example,dc=local
rootdn cn=admin,dc=example,dc=local
rootpw 12345
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=local" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=example,dc=local" write
by * read
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
12 years, 11 months
noob ldap question
by Nizameddin Ordulu
Hi All,
My apologies in advance if this is not the right place to ask this noob
question.
I am trying to create an ldap database with base dn: dc=tr,dc=tc. Once
created it will be used to store the email accounts like username(a)tr.tc.
When I execute the command to modify the dn entry, I get the following error
root@nizam-desktop:/home/nizam/Desktop# ldapadd -f user2.ldiff -xv -D
"cn=admin,dc=tr,dc=tc" -h 127.0.0.1 -w 1234
ldap_initialize( ldap://127.0.0.1 )
add objectClass:
top
dcObject
organization
add dc:
tr
tc
add description:
top level of the tr.tc hierarchy
adding new entry "dc=tr,dc=tc"
modify complete
ldap_add: Constraint violation (19)
additional info: dc: multiple values provided
The user2.ldiff file looks like this:
dn: dc=tr,dc=tc
objectClass: top
objectClass: dcObject
objectClass: organization
dc: tr
dc: tc
description: top level of the tr.tc hierarchy
dn: cn=admin,dc=tr,dc=tc
objectClass: organizationalRole
cn: admin
description: LDAP Directory Administrator
dn: cn=user1,dc=tr,dc=tc
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
cn: user1
sn: user1lastname
mail: user1(a)tr.tc
userPassword: 1234
mailHost: 127.0.0.1
The configuration for the database dc=tr,dc=tc is as follows (part of
/etc/ldap/slapd.conf)
database bdb
suffix "dc=tr,dc=tc"
rootdn "cn=admin,dc=tr,dc=tc"
rootpw 1234
directory /var/lib/ldap/trtc
defaultaccess read
schemacheck on
lastmod on
index cn,sn,st,o eq,pres,sub
my OS is Ubuntu 7.10 and i am running slapd installed by the synaptic
manager.
root@nizam-desktop:/home/nizam/Desktop# uname -a
Linux nizam-desktop 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007
i686 GNU/Linux
Can anyone please tell me why I can not add dc=tr,dc=tc?
Kind regards,
nizam
--
Nizameddin Ordulu
12 years, 11 months
Re: AW: Invalid syntax (21)
by Luke Lee
I referenced both the section 4.3 and 6.27 of the rfc2252 and tried the following:
(,l\5Fluke,mydomain.com)
(,l\_luke,mydomain.com)
(,l'\_'luke,mydomain.com
(,l"_"luke,mydomain.com)
(,(l'_'luke,mydomain.com)
(,l"\5F"luke,mydomain.com)
(,l"\_"luke,mydomain.com)
(,"l_luke",mydomain.com)
(,'l_luke',mydomain.com)
However, none of the above worked. What is the correct way of doing the escape? Your help will be much appreciated!
Luke
----- Original Message ----
From: Dieter Kluenter <dieter(a)dkluenter.de>
To: openldap-technical(a)openldap.org
Sent: Wednesday, April 23, 2008 6:37:33 AM
Subject: Re: AW: Invalid syntax (21)
Luke Lee <leeluke77(a)yahoo.com> writes:
> Hi Claus,
>
> Thank you for your valuable opinion.
>
> I tried to "fix" the syntax problem by removing the _ from the username. It
> worked! However, I want to use the _ because this is my company's user naming
> convention. I have to point out that when I ran the early version of OpenLDAP
> (version 2.2-13), there were no syntax problems when I used the ldif with the
> nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP
> (version 2.3-39). Then, I immediately encountered the invalid syntax problem
> when I triled to load the same ldif.
RFC-2307 defines the attribute elements of syntax 'keystring,
keystring, as defined in rfc2252, does not allow underscores, if you
do require underscores you may escape this character.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
12 years, 11 months
Re: AW: Invalid syntax (21)
by Luke Lee
I referenced both the section 4.3 and 6.27 of the rfc2252 and tried the following:
(,l\5Fluke,mydomain.com)
(,l\_luke,mydomain.com)
(,l'\_'luke,mydomain.com
(,l"_"luke,mydomain.com)
(,(l'_'luke,mydomain.com)
(,l"\5F"luke,mydomain.com)
(,l"\_"luke,mydomain.com)
(,"l_luke",mydomain.com)
(,'l_luke',mydomain.com)
However, none of the above worked. What is the correct way of doing the escape? Your help will be much appreciated!
Luke
----- Original Message ----
From: Dieter Kluenter <dieter(a)dkluenter.de>
To: openldap-technical(a)openldap.org
Sent: Wednesday, April 23, 2008 6:37:33 AM
Subject: Re: AW: Invalid syntax (21)
Luke Lee <leeluke77(a)yahoo.com> writes:
> Hi Claus,
>
> Thank you for your valuable opinion.
>
> I tried to "fix" the syntax problem by removing the _ from the username. It
> worked! However, I want to use the _ because this is my company's user naming
> convention. I have to point out that when I ran the early version of OpenLDAP
> (version 2.2-13), there were no syntax problems when I used the ldif with the
> nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP
> (version 2.3-39). Then, I immediately encountered the invalid syntax problem
> when I triled to load the same ldif.
RFC-2307 defines the attribute elements of syntax 'keystring,
keystring, as defined in rfc2252, does not allow underscores, if you
do require underscores you may escape this character.
-Dieter
--
Dieter Klünter | Systemberatung
http://www..dkluenter.de
GPG Key ID:8EF7B6C6
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
12 years, 11 months
Re: "to" rules
by uri_gr1@tut.by
В сообщении от Monday 21 April 2008 17:30:08 вы написали:
> Note, you replied just to me - might have gotten a quicker reply from
> someone else if you replied to the list. Anyway...
>
> uri_gr1(a)tut.by writes:
> >From: uri_gr1(a)tut.by
> >
> >>> I have openldap-2.4.8 up and running. I have ou=People subtree with
> >>> posixAccounts and I need to grant access to, let's say,
> >>> ou=Clients,ou=AddressBook by all rdn's in ou=People, having
> >>> gidNumber=10008.
> >>
> >> I'm not quite sure what you mean with "by all rdn's". (...)
> >
> > user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to
> > ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains
> > attribute gidNumber: 10008
>
> Still untested -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
> by dn.onelevel=ou=People,dc=tut,dc=by
> set.exact="self/gidNumber & 10008"
> write
> and maybe by * read or whatever for everyone else
I tested ACLs below:
# ACL for clients addressbook
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10003"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10007"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10008"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by * none
#
But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is
restricted to all. Is it posible to write some acls like:
...
by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
As I know it accepted for "to ..." rules, but wthat about "by ..."?
I tried it earlier, but maybe it failed beacuse of wrong syntax?
12 years, 11 months
slapd memory footprint
by Stelios Grigoriadis
After running some test we observed that slapd is consuming a
considerable amount of memory, why is that? We ran one client that
retrieved the entire tree (it was pretty small anyway) and 10 other
clients that searched for a particular item. Comparing version 2.3.39
with 2.3.32 the footprint increases. From top:
2.3.32:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE
DATA COMMAND
6049 root 18 0 221m 4904 2568 S 11.5 0.2 0:33.27 216m 2844
137m slapd
2.3.39:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE
DATA COMMAND
13062 ldap 18 0 268m 80m 77m S 14.3 16.2 0:42.27 188m 2892
185m slapd
Is this to be expected? By decreasing the cachesize we got:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE
DATA COMMAND
22492 ldap 18 0 255m 80m 77m S 14.5 16.1 0:39.01 175m 2892
172m slapd
which is still pretty big.
The whole ldap tree fits into a 14k large ldif file so the amount of
data is not large. Is there any way we can influence the memory
footprint (eg. by setting som parameter)?
/Stelios
12 years, 11 months
Re: AW: Invalid syntax (21)
by Luke Lee
Hi Claus,
Thank you for your valuable opinion.
I tried to "fix" the syntax problem by removing the _ from the username. It worked! However, I want to use the _ because this is my company's user naming convention. I have to point out that when I ran the early version of OpenLDAP (version 2.2-13), there were no syntax problems when I used the ldif with the nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP (version 2.3-39). Then, I immediately encountered the invalid syntax problem when I triled to load the same ldif.
Do you have any thought on the wierd problem? Thanks.
Luke
----- Original Message ----
From: "Kick, Claus" <claus.kick(a)siemens.com>
To: Luke Lee <leeluke77(a)yahoo.com>; Dieter Kluenter <dieter(a)dkluenter.de>; openldap-technical(a)openldap.org
Sent: Tuesday, April 22, 2008 3:59:49 AM
Subject: AW: Invalid syntax (21)
Hello,
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
You have
nisNetgroupTriple: (,luke_l,mydomain.com <http://mydomain.com/ <http://mydomain.com/> > ) which I would translate to: <empty>,username, domainname.
Perhaps you just have to add the hostname and not leave it blank?
Cheers,
Claus
________________________________
Von: openldap-technical-bounces+claus.kick=siemens.com(a)OpenLDAP.org [mailto:openldap-technical-bounces+claus.kick=siemens.com@OpenLDAP..org] Im Auftrag von Luke Lee
Gesendet: Dienstag, 22. April 2008 01:21
An: Dieter Kluenter; openldap-technical(a)openldap.org
Betreff: Re: Invalid syntax (21)
Hi Dieter,
I tried several modifications but still couldn't get it working. Can you or anyone else help please? What's wrong with my syntax? Thanks.
Luke
----- Original Message ----
From: Dieter Kluenter <dieter(a)dkluenter.de>
To: openldap-technical@openldap..org
Sent: Saturday, April 19, 2008 4:27:20 AM
Subject: Re: Invalid syntax (21)
Luke Lee <leeluke77(a)yahoo.com> writes:
> Hi,
>
> I encounter a situation where I couldn't find any syntax errors in my ldif file but failed to use
> ldapadd to add entries. I didn't find any trailing spaces at the end of each objectClass. The
> following is the error message:
>
> adding new entry "cn=LocalSales,ou=Netgroup,dc=mydomain,dc=com"
> ldapadd: Invalid syntax (21)
> additional info: nisNetgroupTriple: value #0 invalid per syntax
>
> My ldif file is like the following:
[...]
> dn: cn=LocalSales,ou=Netgroup,dc=mydomain,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: LocalSales
> nisNetgroupTriple: (,luke_l,mydomain.com <http://mydomain.com/> )
> nisNetgroupTriple: (,sam_c,mydomain.com <http://mydomain.com/> )
> nisNetgroupTriple: (,amy_s,mydomain.com <http://mydomain.com/> )
> nisNetgroupTriple: (,anita_c,mydomain.com <http://mydomain.com/> )
> nisNetgroupTriple: (,jim_f,mydomain.com <http://mydomain.com/> )
> description: Local Sales
The nisnetgrouptriple syntax is described in RFC-2307 as follows:
Values in this syntax are represented by the following:
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
hostname = "" / "-" / keystring
username = "" / "-" / keystring
domainname = "" / "-" / keystring
See RFC-2307 for examples.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de <http://www.dkluenter.de/>
GPG Key ID:8EF7B6C6
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. <http://us.rd.yahoo..com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62...>
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
12 years, 11 months