openldap-technical April 2008

openldap-technical@openldap.org

56 participants
87 discussions

RE: Compiling openldap-2.4.8 on cygwin
by Gavin Henry 28 Apr '08

28 Apr '08

> Thanks for the reply. > Anyone know of a decent dummies guide to compiling mingw exes? > I've never done this before. > Thanks, > > Chris > > IIRC, it's the same as normal on *unix, that's the point: /configure --blah make depend make make test

2 1

OpenLDAP Updating Schema Definition
by Jimmy Liang 24 Apr '08

24 Apr '08

I've read that OpenLDAP supports runtime schema modifications but I can't figure out the extensiveness of this feature. On Sun's page ( http://java.sun.com/products/jndi/tutorial/ldap/schema/object.html under the header "Adding a New Object Class") it's telling me that OpenLDAP does not support this kind of modification. When I try the code on that page, I run into Exception in thread "main" javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - objectClasses: value #0 invalid per syntax]; remaining name '' And in the syslog I noticed this Apr 24 15:38:14 localhost slapd[6532]: daemon: read activity on 12 Apr 24 15:38:14 localhost slapd[6532]: connection_get(12) Apr 24 15:38:14 localhost slapd[6532]: connection_get(12): got connid=14 Apr 24 15:38:14 localhost slapd[6532]: connection_read(12): checking for input on id=14 Apr 24 15:38:14 localhost slapd[6540]: do_modify Apr 24 15:38:14 localhost slapd[6540]: do_modify: dn (cn=Subschema) Apr 24 15:38:14 localhost slapd[6540]: => get_ctrls Apr 24 15:38:14 localhost slapd[6540]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) Apr 24 15:38:14 localhost slapd[6532]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Apr 24 15:38:14 localhost slapd[6540]: <= get_ctrls: n=1 rc=0 err="" Apr 24 15:38:14 localhost slapd[6540]: >>> dnPrettyNormal: <cn=Subschema> Apr 24 15:38:14 localhost slapd[6540]: <<< dnPrettyNormal: <cn=Subschema>, <cn=subschema> Apr 24 15:38:14 localhost slapd[6540]: send_ldap_result: conn=14 op=3 p=3 Apr 24 15:38:14 localhost slapd[6540]: send_ldap_result: err=21 matched="" text="objectClasses: value #0 invalid per syntax" Apr 24 15:38:14 localhost slapd[6540]: send_ldap_response: msgid=4 tag=103 err=21 Apr 24 15:38:14 localhost slapd[6540]: conn=14 op=3 RESULT tag=103 err=21 text=objectClasses: value #0 invalid per syntax Apr 24 15:38:14 localhost slapd[6532]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 24 15:38:14 localhost slapd[6532]: daemon: activity on 1 descriptor Apr 24 15:38:14 localhost slapd[6532]: daemon: activity on: Apr 24 15:38:14 localhost slapd[6532]: 13r Does OpenLDAP allow programmic (hopefully but necessarily Java) schema changes at runtime?

2 1

bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
by Srinidhi Sharma 24 Apr '08

24 Apr '08

Hi, I am using open ldap 2.4.8 with berkeley db 4.6.21 The installation of the open ldap went through successfully. But I have the following problem. 1. When tried accessing the dc=example,dc=com through ldapsearch it fails with no such object. ldapsearch -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w secret -b 'dc=example,dc=com' -s sub 'objectclass=*' ldap_search: No such object Following the error msgs from slapd ========================== => bdb_search bdb_dn2entry("dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) send_ldap_result: conn=2 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=32 ber_flush2: 14 bytes to sd 11 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... connection_get(11): got connid=2 connection_read(11): checking for input on id=2 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=2 op=2 do_unbind connection_closing: readying conn=2 sd=11 for close connection_resched: attempting closing conn=2 sd=11 contents of slapd.conf are =================== database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory <myhost-dir>/openldap/install/openldap-2.4.8/var/openldap-data # Indices to maintain index objectClass eq However, when I try ldapbind to the open ldap it works fine.. ldapbind -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w secret And also , base search goes through fine. ldapsearch -h my-openldap-host -p 9011 -D"cn=Manager,dc=example,dc=com" -w secret -b '' -s base 'objectclass=*' How do I get around this error !!!, is there any configuration mismatch ??? The slapd is running as a normal unix user and not as a "ldap "user. Command used to run the slapd is: ./slapd -h ldap://my-openldap-host:9011 -f ../etc/openldap/slapd.conf -d3 Please help -- Thanks, Srinidhi

1 0

OpenLDAP: slave is not being updated by master and replog is empty
by brad davison 24 Apr '08

24 Apr '08

I am working in a test environment to construct a SAMBA / LDAP domain for windows clients. There is a PDC with OpenLDAP server 2.3.35 and SAMBA 3.026 running on ubuntu server 7.10. The PDC is functioning; I am able to create users and login with them, as well as join workstations to the domain. The slave slapd was populated with an output from an ldif file that was exported from the master via: slapcat -l >> master.ldif I had entered the 'replica' line in the master-slapd, and the updatedn and updateref lines in the slave-slapd as stated in 14.4 in the OpenLDAP 2.3 admin's guide. The 'openldap' user has rights to the replog file. Problem 1) The master (dc01-ubuntu.example.local) is not updating the replog file with either a success or failure. Problem 2) The slave (bdc01-ubuntu.example.local) is not getting updates from the master when changes occur. I am relatively new to LDAP and I might be missing something core. I have the OpenLDAP admin guide printed out and I am referring to it, but I believe I had entered the lines as the book instructed. Attached are my master-slapd.conf and slave-slapd.conf files. Again, this is a test environment for now. I understand the current setup is not secure. What I would like to achieve is a working PDC -> BDC replication. When I start slapd on the master i get:Starting OpenLDAP: slapd slurpd. with no errors. When I start slapd on the slave I get : Starting OpenLDAP: slapd with no errors. master-slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=example,dc=local" rootdn "cn=admin,dc=example,dc=local" rootpw 12345 replica uri=ldap://bdc01-ubuntu.example.local:389 binddn="cn=admin,dc=example,dc=local" credentials=12345 bindmethod=simple tls=no replogfile /var/log/replog.bdc01-ubuntu.example.local directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=example,dc=local" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=example,dc=local" write by * read ------------------------- slave slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb operation sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb ### slurpd updatedn "cn=admin,dc=example,dc=local" updateref ldap://dc01-ubuntu.example.local suffix dc=example,dc=local rootdn cn=admin,dc=example,dc=local rootpw 12345 directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=example,dc=local" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=example,dc=local" write by * read ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 7

noob ldap question
by Nizameddin Ordulu 23 Apr '08

23 Apr '08

Hi All, My apologies in advance if this is not the right place to ask this noob question. I am trying to create an ldap database with base dn: dc=tr,dc=tc. Once created it will be used to store the email accounts like username(a)tr.tc. When I execute the command to modify the dn entry, I get the following error root@nizam-desktop:/home/nizam/Desktop# ldapadd -f user2.ldiff -xv -D "cn=admin,dc=tr,dc=tc" -h 127.0.0.1 -w 1234 ldap_initialize( ldap://127.0.0.1 ) add objectClass: top dcObject organization add dc: tr tc add description: top level of the tr.tc hierarchy adding new entry "dc=tr,dc=tc" modify complete ldap_add: Constraint violation (19) additional info: dc: multiple values provided The user2.ldiff file looks like this: dn: dc=tr,dc=tc objectClass: top objectClass: dcObject objectClass: organization dc: tr dc: tc description: top level of the tr.tc hierarchy dn: cn=admin,dc=tr,dc=tc objectClass: organizationalRole cn: admin description: LDAP Directory Administrator dn: cn=user1,dc=tr,dc=tc objectClass: inetOrgPerson objectClass: inetLocalMailRecipient cn: user1 sn: user1lastname mail: user1(a)tr.tc userPassword: 1234 mailHost: 127.0.0.1 The configuration for the database dc=tr,dc=tc is as follows (part of /etc/ldap/slapd.conf) database bdb suffix "dc=tr,dc=tc" rootdn "cn=admin,dc=tr,dc=tc" rootpw 1234 directory /var/lib/ldap/trtc defaultaccess read schemacheck on lastmod on index cn,sn,st,o eq,pres,sub my OS is Ubuntu 7.10 and i am running slapd installed by the synaptic manager. root@nizam-desktop:/home/nizam/Desktop# uname -a Linux nizam-desktop 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007 i686 GNU/Linux Can anyone please tell me why I can not add dc=tr,dc=tc? Kind regards, nizam -- Nizameddin Ordulu

3 3

Re: AW: Invalid syntax (21)
by Luke Lee 23 Apr '08

23 Apr '08

I referenced both the section 4.3 and 6.27 of the rfc2252 and tried the following: (,l\5Fluke,mydomain.com) (,l\_luke,mydomain.com) (,l'\_'luke,mydomain.com (,l"_"luke,mydomain.com) (,(l'_'luke,mydomain.com) (,l"\5F"luke,mydomain.com) (,l"\_"luke,mydomain.com) (,"l_luke",mydomain.com) (,'l_luke',mydomain.com) However, none of the above worked. What is the correct way of doing the escape? Your help will be much appreciated! Luke ----- Original Message ---- From: Dieter Kluenter <dieter(a)dkluenter.de> To: openldap-technical(a)openldap.org Sent: Wednesday, April 23, 2008 6:37:33 AM Subject: Re: AW: Invalid syntax (21) Luke Lee <leeluke77(a)yahoo.com> writes: > Hi Claus, > > Thank you for your valuable opinion. > > I tried to "fix" the syntax problem by removing the _ from the username. It > worked! However, I want to use the _ because this is my company's user naming > convention. I have to point out that when I ran the early version of OpenLDAP > (version 2.2-13), there were no syntax problems when I used the ldif with the > nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP > (version 2.3-39). Then, I immediately encountered the invalid syntax problem > when I triled to load the same ldif. RFC-2307 defines the attribute elements of syntax 'keystring, keystring, as defined in rfc2252, does not allow underscores, if you do require underscores you may escape this character. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Re: AW: Invalid syntax (21)
by Luke Lee 23 Apr '08

23 Apr '08

I referenced both the section 4.3 and 6.27 of the rfc2252 and tried the following: (,l\5Fluke,mydomain.com) (,l\_luke,mydomain.com) (,l'\_'luke,mydomain.com (,l"_"luke,mydomain.com) (,(l'_'luke,mydomain.com) (,l"\5F"luke,mydomain.com) (,l"\_"luke,mydomain.com) (,"l_luke",mydomain.com) (,'l_luke',mydomain.com) However, none of the above worked. What is the correct way of doing the escape? Your help will be much appreciated! Luke ----- Original Message ---- From: Dieter Kluenter <dieter(a)dkluenter.de> To: openldap-technical(a)openldap.org Sent: Wednesday, April 23, 2008 6:37:33 AM Subject: Re: AW: Invalid syntax (21) Luke Lee <leeluke77(a)yahoo.com> writes: > Hi Claus, > > Thank you for your valuable opinion. > > I tried to "fix" the syntax problem by removing the _ from the username. It > worked! However, I want to use the _ because this is my company's user naming > convention. I have to point out that when I ran the early version of OpenLDAP > (version 2.2-13), there were no syntax problems when I used the ldif with the > nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP > (version 2.3-39). Then, I immediately encountered the invalid syntax problem > when I triled to load the same ldif. RFC-2307 defines the attribute elements of syntax 'keystring, keystring, as defined in rfc2252, does not allow underscores, if you do require underscores you may escape this character. -Dieter -- Dieter Klünter | Systemberatung http://www..dkluenter.de GPG Key ID:8EF7B6C6 ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Re: "to" rules
by uri_gr1＠tut.by 23 Apr '08

23 Apr '08

В сообщении от Monday 21 April 2008 17:30:08 вы написали: > Note, you replied just to me - might have gotten a quicker reply from > someone else if you replied to the list. Anyway... > > uri_gr1(a)tut.by writes: > >From: uri_gr1(a)tut.by > > > >>> I have openldap-2.4.8 up and running. I have ou=People subtree with > >>> posixAccounts and I need to grant access to, let's say, > >>> ou=Clients,ou=AddressBook by all rdn's in ou=People, having > >>> gidNumber=10008. > >> > >> I'm not quite sure what you mean with "by all rdn's". (...) > > > > user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to > > ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains > > attribute gidNumber: 10008 > > Still untested - > > access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by > by dn.onelevel=ou=People,dc=tut,dc=by > set.exact="self/gidNumber & 10008" > write > and maybe by * read or whatever for everyone else I tested ACLs below: # ACL for clients addressbook access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10003" write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10007" write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10008" write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by * none # But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all. Is it posible to write some acls like: ... by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ... As I know it accepted for "to ..." rules, but wthat about "by ..."? I tried it earlier, but maybe it failed beacuse of wrong syntax?

2 2

slapd memory footprint
by Stelios Grigoriadis 23 Apr '08

23 Apr '08

After running some test we observed that slapd is consuming a considerable amount of memory, why is that? We ran one client that retrieved the entire tree (it was pretty small anyway) and 10 other clients that searched for a particular item. Comparing version 2.3.39 with 2.3.32 the footprint increases. From top: 2.3.32: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE DATA COMMAND 6049 root 18 0 221m 4904 2568 S 11.5 0.2 0:33.27 216m 2844 137m slapd 2.3.39: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE DATA COMMAND 13062 ldap 18 0 268m 80m 77m S 14.3 16.2 0:42.27 188m 2892 185m slapd Is this to be expected? By decreasing the cachesize we got: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP CODE DATA COMMAND 22492 ldap 18 0 255m 80m 77m S 14.5 16.1 0:39.01 175m 2892 172m slapd which is still pretty big. The whole ldap tree fits into a 14k large ldif file so the amount of data is not large. Is there any way we can influence the memory footprint (eg. by setting som parameter)? /Stelios

2 2

Re: AW: Invalid syntax (21)
by Luke Lee 23 Apr '08

23 Apr '08

Hi Claus, Thank you for your valuable opinion. I tried to "fix" the syntax problem by removing the _ from the username. It worked! However, I want to use the _ because this is my company's user naming convention. I have to point out that when I ran the early version of OpenLDAP (version 2.2-13), there were no syntax problems when I used the ldif with the nisNetgroupTriple that was defined. I just did a custom build of OpenLDAP (version 2.3-39). Then, I immediately encountered the invalid syntax problem when I triled to load the same ldif. Do you have any thought on the wierd problem? Thanks. Luke ----- Original Message ---- From: "Kick, Claus" <claus.kick(a)siemens.com> To: Luke Lee <leeluke77(a)yahoo.com>; Dieter Kluenter <dieter(a)dkluenter.de>; openldap-technical(a)openldap.org Sent: Tuesday, April 22, 2008 3:59:49 AM Subject: AW: Invalid syntax (21) Hello, nisnetgrouptriple = "(" hostname "," username "," domainname ")" You have nisNetgroupTriple: (,luke_l,mydomain.com <http://mydomain.com/ <http://mydomain.com/> > ) which I would translate to: <empty>,username, domainname. Perhaps you just have to add the hostname and not leave it blank? Cheers, Claus ________________________________ Von: openldap-technical-bounces+claus.kick=siemens.com(a)OpenLDAP.org [mailto:openldap-technical-bounces+claus.kick=siemens.com@OpenLDAP..org] Im Auftrag von Luke Lee Gesendet: Dienstag, 22. April 2008 01:21 An: Dieter Kluenter; openldap-technical(a)openldap.org Betreff: Re: Invalid syntax (21) Hi Dieter, I tried several modifications but still couldn't get it working. Can you or anyone else help please? What's wrong with my syntax? Thanks. Luke ----- Original Message ---- From: Dieter Kluenter <dieter(a)dkluenter.de> To: openldap-technical@openldap..org Sent: Saturday, April 19, 2008 4:27:20 AM Subject: Re: Invalid syntax (21) Luke Lee <leeluke77(a)yahoo.com> writes: > Hi, > > I encounter a situation where I couldn't find any syntax errors in my ldif file but failed to use > ldapadd to add entries. I didn't find any trailing spaces at the end of each objectClass. The > following is the error message: > > adding new entry "cn=LocalSales,ou=Netgroup,dc=mydomain,dc=com" > ldapadd: Invalid syntax (21) > additional info: nisNetgroupTriple: value #0 invalid per syntax > > My ldif file is like the following: [...] > dn: cn=LocalSales,ou=Netgroup,dc=mydomain,dc=com > objectClass: nisNetgroup > objectClass: top > cn: LocalSales > nisNetgroupTriple: (,luke_l,mydomain.com <http://mydomain.com/> ) > nisNetgroupTriple: (,sam_c,mydomain.com <http://mydomain.com/> ) > nisNetgroupTriple: (,amy_s,mydomain.com <http://mydomain.com/> ) > nisNetgroupTriple: (,anita_c,mydomain.com <http://mydomain.com/> ) > nisNetgroupTriple: (,jim_f,mydomain.com <http://mydomain.com/> ) > description: Local Sales The nisnetgrouptriple syntax is described in RFC-2307 as follows: Values in this syntax are represented by the following: nisnetgrouptriple = "(" hostname "," username "," domainname ")" hostname = "" / "-" / keystring username = "" / "-" / keystring domainname = "" / "-" / keystring See RFC-2307 for examples. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de <http://www.dkluenter.de/> GPG Key ID:8EF7B6C6 ________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. <http://us.rd.yahoo..com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR…> ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2008