Re: OpenLDAP 2.3 Make Test Failed
by Luke Lee
Thank you for the suggestion. I followed your instructions and was able to successfully complete the make test. Thanks again!
Luke
----- Original Message ----
From: Quanah Gibson-Mount <quanah(a)zimbra.com>
To: Luke Lee <leeluke77(a)yahoo.com>; openldap-technical(a)openldap.org
Sent: Friday, April 11, 2008 5:10:35 PM
Subject: Re: OpenLDAP 2.3 Make Test Failed
--On Friday, April 11, 2008 5:06 PM -0700 Luke Lee <leeluke77(a)yahoo.com>
wrote:
>
>
> Hi Quanah,
>
> Thank you for the response.
>
> I have the following set when I ran the configure:
I suggest you compare your LD_FLAGS line with mine. You're missing some
important options.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
13 years, 2 months
Dynlist and roles/groups
by Ashley Penney
Hi,
I'm not sure if this is exactly the right list, but I'm stuck trying to
implement something at work and I'm hoping someone can help me.
Background:
We have an existing openldap setup that uses roles rather than groups to
determine who gets what. We have people under ou=People, and roles under
ou=Roles.
Here's parts of my person object:
dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: lawHarvardEduPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: qmailUser
objectClass: shadowAccount
objectClass: top
cn: Ashley Penney
isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu
isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
Here's cn=SFTPUser,ou=Roles
dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
objectClass: lawHarvardEduRole
objectClass: organizationalUnit
objectClass: posixGroup
objectClass: top
cn: SFTPUser
gidNumber: 24
ou: Roles
ou: Xythos
description: Indicates that a user has SFTP access.
displayName: SFTP User (SFTP User)
What I want to be able to do, via nss_ldap, is to interate over the
isMemberOf entries, and check the cn=x,ou=roles for a posixGroup. I've
managed to get it building a search of the form:
SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu"
scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"
It then does a SRCHattr=objectClass lookup, but this fails. My
understanding is this requires some support in openldap itself, and I can't
figure out if this is provided or not.
So, my alternative method is to build a dynamic list up, from my
understanding, and have it build me a dynamic sftp-users group. I cannot
figure out what values I would map however, and I'd appreciate any
assistance anyone can offer.
13 years, 2 months
creating attributes in new objectclass
by Christophe Dumonet
Hello,
I have created a new objectclass for my company, and added some new
attributes.
Slapd restarts well, I can create new attributes with values in dns, but
When I want to search with the attribute with an ldapsearch or another
tools (postfix ), these attributes are not find.
for example : I got no answer with :
ldapsearch -x -b "ou=people,dc=ifma,dc=fr" -H ldap://172.16.10.92 -D
"cn=admin,dc=ifma,dc=fr" -W -LLL "(backupmail1=dumonet(a)backup1.ifma.fr)" uid
( While I see in a ldap browser an attribute backupmail1 with
dumonet(a)backup1.ifma.fr in value , and got an uid ! )
My objectclass is in a new schema : , and is included in slapd.conf by
include /etc/ldap/schema/ifma.schema
vi ifma.schema :
#schema local IFMA
#Date : 23/01/2008
#Author: Christophe Dumonet - IFMA
#
# CLASS IFMA
#
attributetype ( 1.3.6.1.4.1.7135.1.3.7.103 NAME 'pathbackupmail1'
DESC 'chemin pour backupmail1'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50
)
attributetype ( 1.3.6.1.4.1.7135.1.3.7.102 NAME 'backupmail1'
DESC 'Adresse mail fictive pour backup mail 1 en temps reel'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
objectclass ( 1.3.6.1.4.1.7135.1.3.7.1 NAME 'ifma' SUP top AUXILIARY
DESC 'classe d infos ifma'
MAY ( backupmail1 $ pathbackupmail1 ))
Why ? Is my schema not well created, my syntax ? other , I work with
openldap 2.3.30 , thanks for answer !
Christophe Dumonet.
--
----------------------------------------------------
Christophe Dumonet
Centre de Ressources Informatiques
Institut Francais de Mecanique Avancee (IFMA)
Campus des Cezeaux
BP 265
63175 AUBIERE Cedex
Tel : +33 - 4.73.28.80.64
Fax : +33 - 4.73.28.81.00
Mail : Christophe.Dumonet(a)ifma.fr
----------------------------------------------------
13 years, 2 months
Getting output from proxied Active Directory connection
by Clemson, Chris (IHG)
Please excuse the long email, but I wanted to include everything that
might be useful for a diagnosis:
I am having trouble setting up my OpenLDAP proxy.
Eventually, I would like it to authenticate to our domain controller
using idassert-bind, but I'm not worried about that at the moment.
When I issue an ldapsearch command against the domain controller:
ldapsearch -Hldap://LOCALDC -b "" -s base -x -D "cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,DC=emea,DC=corp,DC=local" -W
It works and I get a reply.
When I try it via slapd (running on my machine), It seems to
authenticate me ok (wrong passwords and "-D" options return errors), but
I don't get my details back, other than a success and no results:
ldapsearch -b "" -s base -x -D "cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery
,DC=emea,DC=corp,DC=local" -W '(samaccountname=clemsoc)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (samaccountname=clemsoc)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
"ldapsearch -b "" -s base -x '(samaccountname=clemsoc)'" also returns
the same result.
When I do the following (ie, not search for anything):
ldapsearch -b "" -s base -x -D "cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,DC=emea,DC=corp,DC=local" -W
I get the following output:
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I am running slapd with -d 9, but can't really see anything that helps
me.
I guess I am missing something, or am not specific enough with my Base
DN.
Basically, all my users (that I want to search for) are in various OUs
under the "Service Delivery" OU in Active Directory.
Ldap.conf
---------
BASE ou=Service Delivery, dc=emea, dc=corp, dc=local
URI ldap://MYMACHINE
Slapd.conf
----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/MSOutlook.schema <- custom one I
found on for other attributes
pidfile /var/openldap/run/slapd.pid
argsfile /var/openldap/run/slapd.args
Moduleload back_ldap.la
access to * by * read
database ldap
uri ldap://LOCALDC
suffix "dc=emea,dc=corp,dc=local"
idassert-bind
bindmethod=simple
binddn="cn=OpenLDAP Access
Account,cn=users,DC=emea,DC=corp,DC=local"
credentials="xxxxx"
mode=none
Below is the "slapd -d 9" output of a request attempt:
@(#) $OpenLDAP: slapd 2.3.39 (Nov 24 2007 18:26:23) $
vzell@vzell-de:/usr/src/openldap-2.3.39-1/build/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.5.20: (December 17, 2007)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.5.20: (December 17, 2007)
ldap_url_parse_ext(ldap://LOCALDC)
>>> dnPrettyNormal: <dc=emea,dc=corp,dc=local>
<<< dnPrettyNormal: <dc=emea,dc=corp,dc=local>,
<dc=emea,dc=corp,dc=local>
>>> dnNormalize: <cn=OpenLDAP Access
Account,cn=users,DC=emea,DC=corp,DC=local>
<<< dnNormalize: <cn=openldap access
account,cn=users,dc=emea,dc=corp,dc=local>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree
$ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $
olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $
reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $
errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree
$ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $
olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $
reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $
errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer
$ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $
nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer
$ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $
nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) )
2.5.13.35 (certificateMatch): matchingRuleUse: ( 2.5.13.35 NAME
'certificateMatch' APPLIES ( userCertificate $ cACertificate ) )
2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes
$ supportedApplicationContext ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29
NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $
uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $
olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $
olcDbProtocolVersion $ olcDbConnectionPoolMax $ reqResult $ reqId $
reqVersion $ reqSizeLimit $ reqTimeLimit $ reqEntries $
olcProxyCacheQueries $ errCode $ errSleepTime $ olcSpSessionlog $
mailPreferenceOption ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $
reqStart $ reqEnd $ pwdChangedTime $ pwdAccountLockedTime $
pwdFailureTime $ pwdGraceUseTime ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $
pager $ otherFacsimiletelephoneNumber $ IPPhone ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ reqControls $
reqRespControls $ reqMod $ reqOld $ reqData $ pwdHistory $ queryid ) )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $
olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree
$ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $
olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $
reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $
errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcLastMod $
olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $
olcDbLinearIndex $ olcChainCacheURI $ olcChainReturnError $
olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $
olcDbSingleConn $ olcDbUseTemporaryConn $ olcAccessLogSuccess $
reqDeleteOldRDN $ reqAttrsOnly $ pwdReset $ olcPPolicyHashCleartext $
olcPPolicyUseLockout $ olcSpNoPresent $ olcSpReloadHint ) )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile
$ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $
olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $
olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $
olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $
olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $
olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $
olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile
$ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $
olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd
$ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcAccessLogOps $ olcAccessLogPurge $
olcAccessLogOld $ reqType $ reqSession $ reqMessage $ reqReferral $
reqMethod $ reqAssertion $ reqScope $ reqDerefAliases $ reqFilter $
reqAttr $ olcAuditlogFile $ olcDLattrSet $ olcProxyCache $
olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ errOp $
errText $ olcSpCheckpoint $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
destinationIndicator $ givenName $ initials $ generationQualifier $
dnQualifier $ houseIdentifier $ dmdName $ pseudonym $
textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation
$ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ preferredLanguage $ rdn $
URL $ comment $ conferenceInformation ) )
2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4
NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator
$ dnQualifier ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile
$ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $
olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $
olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $
olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $
olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $
olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $
olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile
$ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $
olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd
$ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcAccessLogOps $ olcAccessLogPurge $
olcAccessLogOld $ reqType $ reqSession $ reqMessage $ reqReferral $
reqMethod $ reqAssertion $ reqScope $ reqDerefAliases $ reqFilter $
reqAttr $ olcAuditlogFile $ olcDLattrSet $ olcProxyCache $
olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ errOp $
errText $ olcSpCheckpoint $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
destinationIndicator $ givenName $ initials $ generationQualifier $
dnQualifier $ houseIdentifier $ dmdName $ pseudonym $
textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation
$ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ preferredLanguage $ rdn $
URL $ comment $ conferenceInformation ) )
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ namingContexts $ aliasedObjectName $
distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $
olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $
olcDbIDAssertAuthcDn $ olcAccessLogDB $ reqDN $ reqAuthzID $ reqNewRDN $
reqNewSuperior $ pwdPolicySubentry $ olcPPolicyDefault $ errMatchedDN $
member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $
associatedName $ dITRedirect $ reports ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension
$ supportedFeatures $ supportedApplicationContext ) )
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=include{3}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}MSOutlook"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}ldap"
backend_startup_one: starting "dc=emea,dc=corp,dc=local"
ldap_back_db_open: URI=ldap://LOCALDC
slapd starting
daemon: added 3r listener=0x0
daemon: added 5r listener=0x10041fc8
daemon: select: listen=5 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
>>> slap_listener(ldap:///)
daemon: listen=5, new connection on 6
daemon: added 6r (active) listener=0x0
daemon: select: listen=5 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 6r
daemon: read activity on 6
connection_get(6): got connid=0
connection_read(6): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 121 contents:
ber_get_next
daemon: select: listen=5 active_threads=0 tvp=NULL
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,DC=emea,DC=corp,DC=local>
<<< dnPrettyNormal: <cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,dc=emea,dc=corp,dc=local>, <cn=chris
clemson,ou=users,ou=SITE,ou=corp,ou=service
delivery,dc=emea,dc=corp,dc=local>
do_bind: version=3 dn="cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,dc=emea,dc=corp,dc=local" method=128
ldap_create
ldap_url_parse_ext(ldap://LOCALDC)
=>ldap_back_getconn: conn=0 op=0: lc=0x10076828 inserted refcnt=1 rc=0
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP LOCALDC:389
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying LOCALDCIP:389
ldap_connect_timeout: fd: 7 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 123 bytes to sd 7
ldap_result ld 0x100a60b0 msgid 1
ldap_chkResponseList ld 0x100a60b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100a60b0 NULL
wait4msg ld 0x100a60b0 msgid 1 (timeout 100000 usec)
wait4msg continue ld 0x100a60b0 msgid 1 all 1
** ld 0x100a60b0 Connections:
* host: LOCALDC port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Apr 9 16:36:19 2008
** ld 0x100a60b0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x100a60b0 Response Queue:
Empty
ldap_chkResponseList ld 0x100a60b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100a60b0 NULL
ldap_int_select
read1msg: ld 0x100a60b0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x100a60b0 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
ber_scanf fmt ({eaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x100a60b0 0 new referrals
read1msg: mark request completed, ld 0x100a60b0 msgid 1
request done: ld 0x100a60b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
do_bind: v3 bind: "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,dc=emea,dc=corp,dc=local" to "cn=Chris
Clemson,ou=users,ou=SITE,ou=Corp,ou=Service
Delivery,dc=emea,dc=corp,dc=local"
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 6
daemon: activity on 1 descriptor
daemon: activity on: 6r
daemon: read activity on 6
connection_get(6): got connid=0
connection_read(6): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 51 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <>
daemon: select: listen=5 active_threads=0 tvp=NULL
<<< dnPrettyNormal: <>, <>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 6
daemon: activity on 1 descriptor
daemon: activity on: 6r
daemon: read activity on 6
connection_get(6): got connid=0
connection_read(6): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 6 failed errno=0 (No error)
connection_read(6): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=6 for close
connection_close: deferring conn=0 sd=6
daemon: select: listen=5 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=5 active_threads=0 tvp=NULL
do_unbind
connection_resched: attempting closing conn=0 sd=6
connection_close: conn=0 sd=6
=>ldap_back_conn_destroy: fetching conn 0
daemon: removing 6
daemon: shutdown requested and initiated.
daemon: closing 5
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
slapd destroy: freeing system resources.
ldap_free_connection 1 1
ldap_send_unbind
ber_flush: 7 bytes to sd 7
ldap_free_connection: actually freed
slapd stopped.
Thank you,
Chris
13 years, 2 months
problem with using OpenLDAP with GSSAPI-Kerberos against an MS AD Domain Controller
by Austin Cherian
Hi,
I hope some one can answer this query regarding LDAP and GSSAPI as i
really dint find substantial info for this on the net for what i was trying
to accomplish.
I have some limitations on using OpenLDAP with Cyrus SASL and hence
have to manufacture my own GSSAPI client to use with LDAP. However i have
run into some technical issues here with my implementation and MS AD. Here's
my problem in short:
I am using the kerberos mechanism with GSSAPI, i first use kerberos API's to
get a TGT for SPN that i have obtained a keytab for previously. I then use
GSSAPI gss_init_sec_context to obtain a service ticket for the ldap server.
I then call ldap_init and then subsequently call ldap_sasl_bind_s with mech
as GSS-SPNEGO and supplying the GSSAPI token ( obtained from
gss_init_sec_context ) as credential ( i set the DN in the ldap_sasl_bind_s
to NULL ).
>From the network traces and the return code i see that the bind was
successful. The bind result shows success (0x00) and negTokenTarg shows
negResult as accept-completed. This shows that Bind was indeed a success
also to note here the krb-blob that comes with the bind result is
successfully consumed by subsequent calls to gss_init_sec_context to
complete context establishment.
The issue that im facing now is that when i pass GSS wraped search request (
i.e. i build a search request and pass it to gss_wrap API to get a token )
token to the ldap_search_ext api. From the network traces i see that the
search request has been received by the ldap server properly. However the
LDAP server ( MS AD LDAP server ) responds with the following message :
LdapErr: DSID-0C09062.27 comment: In order to perform this operation a
successful bind must be completed on the connection.
Can some one please throw some light on as to why the search query is
getting back with an error that there was no bind done in spite of the
server responding success for the LDAP bind prior to sending the search
request ?? Any help will be greatly appreciated...
Thanks,
Austin.
13 years, 2 months
Re: OpenLDAP 2.3 Make Test Failed
by Luke Lee
Hi Quanah,
Thank you for the response.
I have the following set when I ran the configure:
#!/bin/bash
env CPPFLAGS="-I/usr/local/include -I/usr/local/zlib-1.2.3/include -I/usr/local/BerkeleyDB.4.5/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -I/usr/local/cyrus-sasl-2.1.21/include" \
LDFLAGS="-L/usr/local/lib -L/usr/local/zlib-1.2.3/lib -L/usr/local/BerkeleyDB.4.5/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib -L/usr/local/cyrus-sasl-2.1.21/lib" \
../configure --with-tls --with-cyrus-sasl --enable-crypt --enable-syslog
I didn't encounter a problem when I did the make depend and make. Should I set the environment when I run the make test? Please enlighten me. Thanks.
Luke
----- Original Message ----
From: Quanah Gibson-Mount <quanah(a)zimbra.com>
To: Luke Lee <leeluke77(a)yahoo.com>; openldap-technical(a)openldap.org
Sent: Friday, April 11, 2008 4:53:42 PM
Subject: Re: OpenLDAP 2.3 Make Test Failed
--On Friday, April 11, 2008 4:35 PM -0700 Luke Lee <leeluke77(a)yahoo.com>
wrote:
>
>
> Hi,
>
> I'd like to appreciate all people who previously helped out my OpenLDAP
> 2.3 build process. Now, I come to the last stage but got stuck at the
> "make test" stage. It failed with the following messages:
> I triled to resolve the problem by creating a symbolic link to the shared
> lib under the /usr/local/ssl/lib but in vain. Can anyone please help?
> I'll highly appreciate it!
You need to set the run path correctly when building, so that slapd knows
what paths to search to find the libraries.
For example, in my OpenLDAP build, I have:
LDFLAGS="-L$(OPENSSL_LIB_DIR) -L$(BDB_LIB_DIR) -L$(CYRUS_LIB_DIR)
-R$(OPENSSL_LIB_DIR) -R$(BDB_LIB_DIR) -R$(CYRUS_LIB_DIR)"
and when I go to make:
LD_RUN_PATH=$(OPENSSL_LIB_DIR):$(BDB_LIB_DIR):$(CYRUS_LIB_DIR) $(MAKE)
$(MAKEARGS);
that should get you going in the right direction.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
13 years, 2 months
OpenLDAP 2.3 Make Test Failed
by Luke Lee
Hi,
I'd like to appreciate all people who previously helped out my OpenLDAP 2.3 build process. Now, I come to the last stage but got stuck at the "make test" stage. It failed with the following messages:
cd tests; make test
make[1]: Entering directory `/myopenldap/openldap-2.3.39/tests'
make[2]: Entering directory `/myopenldap/openldap-2.3.39/tests'
Initiating LDAP tests for BDB...
Running ./scripts/all...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse ...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
../scripts/test000-rootdse: line 66: kill: (28736) - No such process
.../clients/tools/ldapsearch: error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 127)
make[2]: *** [bdb-yes] Error 127
make[2]: Leaving directory `/myopenldap/openldap-2.3.39/tests'
make[1]: *** [test] Error 2
make[1]: Leaving directory `/myopenldap/openldap-2.3.39/tests'
make: *** [test] Error 2
I triled to resolve the problem by creating a symbolic link to the shared lib under the /usr/local/ssl/lib but in vain. Can anyone please help? I'll highly appreciate it!
Luke
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
13 years, 2 months
Re: OpenLDAP 2.3 Configure Error
by Luke Lee
Hi Tommy,
Thank you for the indepth information. I think that I'd better to stick with the stable OpenLDAP release.
Luke
----- Original Message ----
From: Tommy Ho <tho(a)stillsecure.com>
To: openldap-technical <openldap-technical(a)openldap.org>
Sent: Friday, April 11, 2008 12:39:30 PM
Subject: Re: OpenLDAP 2.3 Configure Error
On Fri, 2008-04-11 at 11:56 -0700, Quanah Gibson-Mount wrote:
> --On Friday, April 11, 2008 11:53 AM -0700 Luke Lee <leeluke77(a)yahoo.com>
> wrote:
>
> >
> >
> >
> > Hi Tommy,
> >
> > Thank you very much for the help. I also want to give thanks to whoever
> > spent time reading my previous and this emails. It appears to me that I
> > just couldn't find my mistake.
> >
> > I corrected it per your instrcution. However, I am encountering another
> > error message now. The error message says:
>
>
> OpenLDAP 2.3 does not support building with BDB 4.6.
>
> --Quanah
>
Yes, as Quanah had pointed out, the corrective action is to either
1) use BDB 4.5.20 (supported by openLDAP 2.3) or
2) use openLDAP 2.4.8 in order to use BDB 4.6.x.
In either case, if your bdb libraries are not installed into /libs
or /usr/libs, you'll need to set LD_LIBRARY_PATH to where BDB libraries
are installed (e.g. export LD_LIBRARY_PATH=
$LD_LIBRARY_PATH:/usr/local/lib) before starting configure to avoid
getting the version mismatch error.
Good luck,
\Tommy
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
13 years, 2 months
Re: OpenLDAP 2.3 Configure Error
by Luke Lee
Hi Tommy,
Thank you very much for the help. I also want to give thanks to whoever spent time reading my previous and this emails. It appears to me that I just couldn't find my mistake.
I corrected it per your instrcution. However, I am encountering another error message now. The error message says:
checking for db.h... yes
checking for Berkeley DB major version... 4
checking for Berkeley DB minor version... 6
checking for Berkeley DB link (-ldb-4)... yes
checking for Berkeley DB version match... no
configure: error: Berkeley DB version mismatch
A few lines in the log are:
configure:31831: checking db.h presence
configure:31841: cc -E -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include conftest.c
configure:31847: $? = 0
configure:31867: result: yes
configure:31902: checking for db.h
configure:31909: result: yes
configure:31925: checking for Berkeley DB major version
configure:32044: result: 4
configure:32047: checking for Berkeley DB minor version
configure:32290: result: 6
configure:34481: checking for Berkeley DB link (-ldb-4)
configure:34547: cc -o conftest -g -O2 -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib conftest.c -ldb-4 -pthread -lresolv >&5
configure:34553: $? = 0
configure:34557: test -z
|| test ! -s conftest.err
configure:34560: $? = 0
configure:34563: test -s conftest
configure:34566: $? = 0
configure:34581: result: yes
configure:35580: checking for Berkeley DB version match
configure:35636: cc -o conftest -g -O2 -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib conftest.c -ldb-4 -pthread -lresolv >&5
configure:35639: $? = 0
configure:35641: ./conftest
../conftest: error while loading shared libraries: libdb-4.6.so: cannot open shared object file: No such file or directory
configure:35644: $? = 127
configure: program exited with status 127
configure: failed program was:
| /* confdefs.h. */
I know that I have an older version of DB. However, I have added the 4.6 path for the build. How can I resolve the problem? Please help. Thank you!
Luke Lee
----- Original Message ----
From: Tommy Ho <tho(a)stillsecure.com>
To: Luke Lee <leeluke77(a)yahoo.com>
Cc: openldap-technical(a)openldap.org
Sent: Friday, April 11, 2008 10:15:51 AM
Subject: Re: OpenLDAP 2.3 Configure Error
On Thu, 2008-04-10 at 17:50 -0700, Luke Lee wrote:
> Hi,
>
> I'm building a custom OpenLDAP 2.3 but failed at the configure stage
> with the following error messages:
> checking openssl/ssl.h usability... no
> checking openssl/ssl.h presence... no
> checking for openssl/ssl.h... no
> configure: error: Could not locate TLS/SSL package
>
> I've installed OpenSSL at the default /usr/local/ssl localtion with
> threads, shared, and zlib support.
>
> In the configure log, the ssl.h was not found. A few lines of the log
> are attached below:
>
> configure:18067: cc -E -I/usr/local/include
> -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include
> -I/usr/local/ssl/include/openssl conftest.c
> configure:18073: $? = 0
> configure:18093: result: yes
> configure:18128: checking for sys/un.h
> configure:18135: result: yes
> configure:19451: checking openssl/ssl.h usability
> configure:19463: cc -c -g -O2 -I/usr/local/include
> -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include
> -I/usr/local/ssl/include/openssl conftest.c >&5
> conftest.c:127:25: openssl/ssl.h: No such file or directory
> configure:19469: $? = 1
> configure: failed program was:
> | /* confdefs.h. */
> |
> | #define PACKAGE_NAME ""
> | #define PACKAGE_TARNAME ""
> | #define PACKAGE_VERSION ""
> | #define PACKAGE_STRING ""
> | #define PACKAGE_BUGREPORT ""
> | #define OPENLDAP_PACKAGE "OpenLDAP"
>
> I have the required include and libs found in the env:
> LDFLAGS=-L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib
> -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib
> CPPFLAGS=-I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include
> -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include/openssl
Your last include is the problem, it should be: -I/usr/local/ssl/include
\Tommy
>
> Can anyone please help resolve this problem? Thanks!
>
> Luke Lee
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
13 years, 2 months
back-sql question: iodbc or unixodbc
by Tommy Ho
Hi,
I'm trying to get openLDAP 2.4.8 to work with postgreSQL 8.1.8.
Does it matter which odbc driver manager I use?
In http://www.openldap.org/faq/data/cache/978.html, under "How To Use
It", it specifies to setup unixODBC
while in http://www.samse.fr/GPL/ldap_pg/HOWTO/index.html, it says to
use iodbc.
I actually installed iodbc 3.52.6 and psqlodbc 8.03.0100 but am getting
into a pthread mutex lock when backsql_load_schema_map() is trying to
send the query "SELECT id, name, keytbl, keycol, create_proc,
delete_proc, expect_return FROM ldap_oc_mappings" to postgres. From
attaching gdb, the lock is happening SQLAllocStmt where is it is
recursively being called from SQLAllocStmt_internal().
If others have found success getting openLDAP working with postgres,
could you please share your expertise?
Let me know if I can provide additional data, like the configure options
and other setup/version info.
Thanks,
\Tommy
13 years, 2 months
