openldap-technical April 2008

openldap-technical@openldap.org

56 participants
87 discussions

Re: OpenLDAP 2.3 Make Test Failed
by Luke Lee 14 Apr '08

14 Apr '08

Thank you for the suggestion. I followed your instructions and was able to successfully complete the make test. Thanks again! Luke ----- Original Message ---- From: Quanah Gibson-Mount <quanah(a)zimbra.com> To: Luke Lee <leeluke77(a)yahoo.com>; openldap-technical(a)openldap.org Sent: Friday, April 11, 2008 5:10:35 PM Subject: Re: OpenLDAP 2.3 Make Test Failed --On Friday, April 11, 2008 5:06 PM -0700 Luke Lee <leeluke77(a)yahoo.com> wrote: > > > Hi Quanah, > > Thank you for the response. > > I have the following set when I ran the configure: I suggest you compare your LD_FLAGS line with mine. You're missing some important options. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Dynlist and roles/groups
by Ashley Penney 14 Apr '08

14 Apr '08

Hi, I'm not sure if this is exactly the right list, but I'm stuck trying to implement something at work and I'm hoping someone can help me. Background: We have an existing openldap setup that uses roles rather than groups to determine who gets what. We have people under ou=People, and roles under ou=Roles. Here's parts of my person object: dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu objectClass: hostObject objectClass: inetOrgPerson objectClass: lawHarvardEduPerson objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: qmailUser objectClass: shadowAccount objectClass: top cn: Ashley Penney isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu Here's cn=SFTPUser,ou=Roles dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu objectClass: lawHarvardEduRole objectClass: organizationalUnit objectClass: posixGroup objectClass: top cn: SFTPUser gidNumber: 24 ou: Roles ou: Xythos description: Indicates that a user has SFTP access. displayName: SFTP User (SFTP User) What I want to be able to do, via nss_ldap, is to interate over the isMemberOf entries, and check the cn=x,ou=roles for a posixGroup. I've managed to get it building a search of the form: SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))" It then does a SRCHattr=objectClass lookup, but this fails. My understanding is this requires some support in openldap itself, and I can't figure out if this is provided or not. So, my alternative method is to build a dynamic list up, from my understanding, and have it build me a dynamic sftp-users group. I cannot figure out what values I would map however, and I'd appreciate any assistance anyone can offer.

1 0

creating attributes in new objectclass
by Christophe Dumonet 14 Apr '08

14 Apr '08

Hello, I have created a new objectclass for my company, and added some new attributes. Slapd restarts well, I can create new attributes with values in dns, but When I want to search with the attribute with an ldapsearch or another tools (postfix ), these attributes are not find. for example : I got no answer with : ldapsearch -x -b "ou=people,dc=ifma,dc=fr" -H ldap://172.16.10.92 -D "cn=admin,dc=ifma,dc=fr" -W -LLL "(backupmail1=dumonet(a)backup1.ifma.fr)" uid ( While I see in a ldap browser an attribute backupmail1 with dumonet(a)backup1.ifma.fr in value , and got an uid ! ) My objectclass is in a new schema : , and is included in slapd.conf by include /etc/ldap/schema/ifma.schema vi ifma.schema : #schema local IFMA #Date : 23/01/2008 #Author: Christophe Dumonet - IFMA # # CLASS IFMA # attributetype ( 1.3.6.1.4.1.7135.1.3.7.103 NAME 'pathbackupmail1' DESC 'chemin pour backupmail1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) attributetype ( 1.3.6.1.4.1.7135.1.3.7.102 NAME 'backupmail1' DESC 'Adresse mail fictive pour backup mail 1 en temps reel' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) objectclass ( 1.3.6.1.4.1.7135.1.3.7.1 NAME 'ifma' SUP top AUXILIARY DESC 'classe d infos ifma' MAY ( backupmail1 $ pathbackupmail1 )) Why ? Is my schema not well created, my syntax ? other , I work with openldap 2.3.30 , thanks for answer ! Christophe Dumonet. -- ---------------------------------------------------- Christophe Dumonet Centre de Ressources Informatiques Institut Francais de Mecanique Avancee (IFMA) Campus des Cezeaux BP 265 63175 AUBIERE Cedex Tel : +33 - 4.73.28.80.64 Fax : +33 - 4.73.28.81.00 Mail : Christophe.Dumonet(a)ifma.fr ----------------------------------------------------

2 2

Getting output from proxied Active Directory connection
by Clemson, Chris (IHG) 14 Apr '08

14 Apr '08

Please excuse the long email, but I wanted to include everything that might be useful for a diagnosis: I am having trouble setting up my OpenLDAP proxy. Eventually, I would like it to authenticate to our domain controller using idassert-bind, but I'm not worried about that at the moment. When I issue an ldapsearch command against the domain controller: ldapsearch -Hldap://LOCALDC -b "" -s base -x -D "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,DC=emea,DC=corp,DC=local" -W It works and I get a reply. When I try it via slapd (running on my machine), It seems to authenticate me ok (wrong passwords and "-D" options return errors), but I don't get my details back, other than a success and no results: ldapsearch -b "" -s base -x -D "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery ,DC=emea,DC=corp,DC=local" -W '(samaccountname=clemsoc)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (samaccountname=clemsoc) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 "ldapsearch -b "" -s base -x '(samaccountname=clemsoc)'" also returns the same result. When I do the following (ie, not search for anything): ldapsearch -b "" -s base -x -D "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,DC=emea,DC=corp,DC=local" -W I get the following output: Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top objectClass: OpenLDAProotDSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I am running slapd with -d 9, but can't really see anything that helps me. I guess I am missing something, or am not specific enough with my Base DN. Basically, all my users (that I want to search for) are in various OUs under the "Service Delivery" OU in Active Directory. Ldap.conf --------- BASE ou=Service Delivery, dc=emea, dc=corp, dc=local URI ldap://MYMACHINE Slapd.conf ---------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/MSOutlook.schema <- custom one I found on for other attributes pidfile /var/openldap/run/slapd.pid argsfile /var/openldap/run/slapd.args Moduleload back_ldap.la access to * by * read database ldap uri ldap://LOCALDC suffix "dc=emea,dc=corp,dc=local" idassert-bind bindmethod=simple binddn="cn=OpenLDAP Access Account,cn=users,DC=emea,DC=corp,DC=local" credentials="xxxxx" mode=none Below is the "slapd -d 9" output of a request attempt: @(#) $OpenLDAP: slapd 2.3.39 (Nov 24 2007 18:26:23) $ vzell@vzell-de:/usr/src/openldap-2.3.39-1/build/servers/slapd daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 1 listeners opened slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.5.20: (December 17, 2007) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.5.20: (December 17, 2007) ldap_url_parse_ext(ldap://LOCALDC) >>> dnPrettyNormal: <dc=emea,dc=corp,dc=local> <<< dnPrettyNormal: <dc=emea,dc=corp,dc=local>, <dc=emea,dc=corp,dc=local> >>> dnNormalize: <cn=OpenLDAP Access Account,cn=users,DC=emea,DC=corp,DC=local> <<< dnNormalize: <cn=openldap access account,cn=users,dc=emea,dc=corp,dc=local> >>> dnNormalize: <cn=Subschema> <<< dnNormalize: <cn=subschema> matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $ reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $ errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $ reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $ errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) ) 2.5.13.35 (certificateMatch): matchingRuleUse: ( 2.5.13.35 NAME 'certificateMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $ reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $ errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ reqStart $ reqEnd $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $ pwdGraceUseTime ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager $ otherFacsimiletelephoneNumber $ IPPhone ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ reqControls $ reqRespControls $ reqMod $ reqOld $ reqData $ pwdHistory $ queryid ) ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ reqResult $ reqId $ reqVersion $ reqSizeLimit $ reqTimeLimit $ reqEntries $ olcProxyCacheQueries $ errCode $ errSleepTime $ olcSpSessionlog $ mailPreferenceOption ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcLastMod $ olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcChainCacheURI $ olcChainReturnError $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcAccessLogSuccess $ reqDeleteOldRDN $ reqAttrsOnly $ pwdReset $ olcPPolicyHashCleartext $ olcPPolicyUseLockout $ olcSpNoPresent $ olcSpReloadHint ) ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ reqType $ reqSession $ reqMessage $ reqReferral $ reqMethod $ reqAssertion $ reqScope $ reqDerefAliases $ reqFilter $ reqAttr $ olcAuditlogFile $ olcDLattrSet $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ errOp $ errText $ olcSpCheckpoint $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ rdn $ URL $ comment $ conferenceInformation ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ reqType $ reqSession $ reqMessage $ reqReferral $ reqMethod $ reqAssertion $ reqScope $ reqDerefAliases $ reqFilter $ reqAttr $ olcAuditlogFile $ olcDLattrSet $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ errOp $ errText $ olcSpCheckpoint $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ rdn $ URL $ comment $ conferenceInformation ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ namingContexts $ aliasedObjectName $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ olcAccessLogDB $ reqDN $ reqAuthzID $ reqNewRDN $ reqNewSuperior $ pwdPolicySubentry $ olcPPolicyDefault $ errMatchedDN $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect $ reports ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) slapd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=include{0}" config_build_entry: "cn=include{1}" config_build_entry: "cn=include{2}" config_build_entry: "cn=include{3}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}inetorgperson" config_build_entry: "cn={3}MSOutlook" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" config_build_entry: "olcDatabase={1}ldap" backend_startup_one: starting "dc=emea,dc=corp,dc=local" ldap_back_db_open: URI=ldap://LOCALDC slapd starting daemon: added 3r listener=0x0 daemon: added 5r listener=0x10041fc8 daemon: select: listen=5 active_threads=0 tvp=NULL daemon: activity on 1 descriptor >>> slap_listener(ldap:///) daemon: listen=5, new connection on 6 daemon: added 6r (active) listener=0x0 daemon: select: listen=5 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 6r daemon: read activity on 6 connection_get(6): got connid=0 connection_read(6): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 121 contents: ber_get_next daemon: select: listen=5 active_threads=0 tvp=NULL do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,DC=emea,DC=corp,DC=local> <<< dnPrettyNormal: <cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,dc=emea,dc=corp,dc=local>, <cn=chris clemson,ou=users,ou=SITE,ou=corp,ou=service delivery,dc=emea,dc=corp,dc=local> do_bind: version=3 dn="cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,dc=emea,dc=corp,dc=local" method=128 ldap_create ldap_url_parse_ext(ldap://LOCALDC) =>ldap_back_getconn: conn=0 op=0: lc=0x10076828 inserted refcnt=1 rc=0 ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP LOCALDC:389 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying LOCALDCIP:389 ldap_connect_timeout: fd: 7 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 123 bytes to sd 7 ldap_result ld 0x100a60b0 msgid 1 ldap_chkResponseList ld 0x100a60b0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100a60b0 NULL wait4msg ld 0x100a60b0 msgid 1 (timeout 100000 usec) wait4msg continue ld 0x100a60b0 msgid 1 all 1 ** ld 0x100a60b0 Connections: * host: LOCALDC port: 389 (default) refcnt: 2 status: Connected last used: Wed Apr 9 16:36:19 2008 ** ld 0x100a60b0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x100a60b0 Response Queue: Empty ldap_chkResponseList ld 0x100a60b0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100a60b0 NULL ldap_int_select read1msg: ld 0x100a60b0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x100a60b0 msgid 1 message type bind ber_scanf fmt ({eaa) ber: ber_scanf fmt ({eaa}) ber: new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x100a60b0 0 new referrals read1msg: mark request completed, ld 0x100a60b0 msgid 1 request done: ld 0x100a60b0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree do_bind: v3 bind: "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,dc=emea,dc=corp,dc=local" to "cn=Chris Clemson,ou=users,ou=SITE,ou=Corp,ou=Service Delivery,dc=emea,dc=corp,dc=local" send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 6 daemon: activity on 1 descriptor daemon: activity on: 6r daemon: read activity on 6 connection_get(6): got connid=0 connection_read(6): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 51 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <> daemon: select: listen=5 active_threads=0 tvp=NULL <<< dnPrettyNormal: <>, <> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 6 daemon: activity on 1 descriptor daemon: activity on: 6r daemon: read activity on 6 connection_get(6): got connid=0 connection_read(6): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next ber_get_next on fd 6 failed errno=0 (No error) connection_read(6): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=6 for close connection_close: deferring conn=0 sd=6 daemon: select: listen=5 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=5 active_threads=0 tvp=NULL do_unbind connection_resched: attempting closing conn=0 sd=6 connection_close: conn=0 sd=6 =>ldap_back_conn_destroy: fetching conn 0 daemon: removing 6 daemon: shutdown requested and initiated. daemon: closing 5 slapd shutdown: waiting for 0 threads to terminate slapd shutdown: initiated slapd destroy: freeing system resources. ldap_free_connection 1 1 ldap_send_unbind ber_flush: 7 bytes to sd 7 ldap_free_connection: actually freed slapd stopped. Thank you, Chris

1 1

problem with using OpenLDAP with GSSAPI-Kerberos against an MS AD Domain Controller
by Austin Cherian 11 Apr '08

11 Apr '08

Hi, I hope some one can answer this query regarding LDAP and GSSAPI as i really dint find substantial info for this on the net for what i was trying to accomplish. I have some limitations on using OpenLDAP with Cyrus SASL and hence have to manufacture my own GSSAPI client to use with LDAP. However i have run into some technical issues here with my implementation and MS AD. Here's my problem in short: I am using the kerberos mechanism with GSSAPI, i first use kerberos API's to get a TGT for SPN that i have obtained a keytab for previously. I then use GSSAPI gss_init_sec_context to obtain a service ticket for the ldap server. I then call ldap_init and then subsequently call ldap_sasl_bind_s with mech as GSS-SPNEGO and supplying the GSSAPI token ( obtained from gss_init_sec_context ) as credential ( i set the DN in the ldap_sasl_bind_s to NULL ). >From the network traces and the return code i see that the bind was successful. The bind result shows success (0x00) and negTokenTarg shows negResult as accept-completed. This shows that Bind was indeed a success also to note here the krb-blob that comes with the bind result is successfully consumed by subsequent calls to gss_init_sec_context to complete context establishment. The issue that im facing now is that when i pass GSS wraped search request ( i.e. i build a search request and pass it to gss_wrap API to get a token ) token to the ldap_search_ext api. From the network traces i see that the search request has been received by the ldap server properly. However the LDAP server ( MS AD LDAP server ) responds with the following message : LdapErr: DSID-0C09062.27 comment: In order to perform this operation a successful bind must be completed on the connection. Can some one please throw some light on as to why the search query is getting back with an error that there was no bind done in spite of the server responding success for the LDAP bind prior to sending the search request ?? Any help will be greatly appreciated... Thanks, Austin.

1 0

Re: OpenLDAP 2.3 Make Test Failed
by Luke Lee 11 Apr '08

11 Apr '08

Hi Quanah, Thank you for the response. I have the following set when I ran the configure: #!/bin/bash env CPPFLAGS="-I/usr/local/include -I/usr/local/zlib-1.2.3/include -I/usr/local/BerkeleyDB.4.5/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -I/usr/local/cyrus-sasl-2.1.21/include" \ LDFLAGS="-L/usr/local/lib -L/usr/local/zlib-1.2.3/lib -L/usr/local/BerkeleyDB.4.5/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib -L/usr/local/cyrus-sasl-2.1.21/lib" \ ../configure --with-tls --with-cyrus-sasl --enable-crypt --enable-syslog I didn't encounter a problem when I did the make depend and make. Should I set the environment when I run the make test? Please enlighten me. Thanks. Luke ----- Original Message ---- From: Quanah Gibson-Mount <quanah(a)zimbra.com> To: Luke Lee <leeluke77(a)yahoo.com>; openldap-technical(a)openldap.org Sent: Friday, April 11, 2008 4:53:42 PM Subject: Re: OpenLDAP 2.3 Make Test Failed --On Friday, April 11, 2008 4:35 PM -0700 Luke Lee <leeluke77(a)yahoo.com> wrote: > > > Hi, > > I'd like to appreciate all people who previously helped out my OpenLDAP > 2.3 build process. Now, I come to the last stage but got stuck at the > "make test" stage. It failed with the following messages: > I triled to resolve the problem by creating a symbolic link to the shared > lib under the /usr/local/ssl/lib but in vain. Can anyone please help? > I'll highly appreciate it! You need to set the run path correctly when building, so that slapd knows what paths to search to find the libraries. For example, in my OpenLDAP build, I have: LDFLAGS="-L$(OPENSSL_LIB_DIR) -L$(BDB_LIB_DIR) -L$(CYRUS_LIB_DIR) -R$(OPENSSL_LIB_DIR) -R$(BDB_LIB_DIR) -R$(CYRUS_LIB_DIR)" and when I go to make: LD_RUN_PATH=$(OPENSSL_LIB_DIR):$(BDB_LIB_DIR):$(CYRUS_LIB_DIR) $(MAKE) $(MAKEARGS); that should get you going in the right direction. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

2 1

OpenLDAP 2.3 Make Test Failed
by Luke Lee 11 Apr '08

11 Apr '08

Hi, I'd like to appreciate all people who previously helped out my OpenLDAP 2.3 build process. Now, I come to the last stage but got stuck at the "make test" stage. It failed with the following messages: cd tests; make test make[1]: Entering directory `/myopenldap/openldap-2.3.39/tests' make[2]: Entering directory `/myopenldap/openldap-2.3.39/tests' Initiating LDAP tests for BDB... Running ./scripts/all... >>>>> Executing all LDAP tests for bdb >>>>> Starting test000-rootdse ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ../scripts/test000-rootdse: line 66: kill: (28736) - No such process .../clients/tools/ldapsearch: error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 127) make[2]: *** [bdb-yes] Error 127 make[2]: Leaving directory `/myopenldap/openldap-2.3.39/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/myopenldap/openldap-2.3.39/tests' make: *** [test] Error 2 I triled to resolve the problem by creating a symbolic link to the shared lib under the /usr/local/ssl/lib but in vain. Can anyone please help? I'll highly appreciate it! Luke __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

2 1

Re: OpenLDAP 2.3 Configure Error
by Luke Lee 11 Apr '08

11 Apr '08

Hi Tommy, Thank you for the indepth information. I think that I'd better to stick with the stable OpenLDAP release. Luke ----- Original Message ---- From: Tommy Ho <tho(a)stillsecure.com> To: openldap-technical <openldap-technical(a)openldap.org> Sent: Friday, April 11, 2008 12:39:30 PM Subject: Re: OpenLDAP 2.3 Configure Error On Fri, 2008-04-11 at 11:56 -0700, Quanah Gibson-Mount wrote: > --On Friday, April 11, 2008 11:53 AM -0700 Luke Lee <leeluke77(a)yahoo.com> > wrote: > > > > > > > > > Hi Tommy, > > > > Thank you very much for the help. I also want to give thanks to whoever > > spent time reading my previous and this emails. It appears to me that I > > just couldn't find my mistake. > > > > I corrected it per your instrcution. However, I am encountering another > > error message now. The error message says: > > > OpenLDAP 2.3 does not support building with BDB 4.6. > > --Quanah > Yes, as Quanah had pointed out, the corrective action is to either 1) use BDB 4.5.20 (supported by openLDAP 2.3) or 2) use openLDAP 2.4.8 in order to use BDB 4.6.x. In either case, if your bdb libraries are not installed into /libs or /usr/libs, you'll need to set LD_LIBRARY_PATH to where BDB libraries are installed (e.g. export LD_LIBRARY_PATH= $LD_LIBRARY_PATH:/usr/local/lib) before starting configure to avoid getting the version mismatch error. Good luck, \Tommy > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

1 0

Re: OpenLDAP 2.3 Configure Error
by Luke Lee 11 Apr '08

11 Apr '08

Hi Tommy, Thank you very much for the help. I also want to give thanks to whoever spent time reading my previous and this emails. It appears to me that I just couldn't find my mistake. I corrected it per your instrcution. However, I am encountering another error message now. The error message says: checking for db.h... yes checking for Berkeley DB major version... 4 checking for Berkeley DB minor version... 6 checking for Berkeley DB link (-ldb-4)... yes checking for Berkeley DB version match... no configure: error: Berkeley DB version mismatch A few lines in the log are: configure:31831: checking db.h presence configure:31841: cc -E -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include conftest.c configure:31847: $? = 0 configure:31867: result: yes configure:31902: checking for db.h configure:31909: result: yes configure:31925: checking for Berkeley DB major version configure:32044: result: 4 configure:32047: checking for Berkeley DB minor version configure:32290: result: 6 configure:34481: checking for Berkeley DB link (-ldb-4) configure:34547: cc -o conftest -g -O2 -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib conftest.c -ldb-4 -pthread -lresolv >&5 configure:34553: $? = 0 configure:34557: test -z || test ! -s conftest.err configure:34560: $? = 0 configure:34563: test -s conftest configure:34566: $? = 0 configure:34581: result: yes configure:35580: checking for Berkeley DB version match configure:35636: cc -o conftest -g -O2 -I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib conftest.c -ldb-4 -pthread -lresolv >&5 configure:35639: $? = 0 configure:35641: ./conftest ../conftest: error while loading shared libraries: libdb-4.6.so: cannot open shared object file: No such file or directory configure:35644: $? = 127 configure: program exited with status 127 configure: failed program was: | /* confdefs.h. */ I know that I have an older version of DB. However, I have added the 4.6 path for the build. How can I resolve the problem? Please help. Thank you! Luke Lee ----- Original Message ---- From: Tommy Ho <tho(a)stillsecure.com> To: Luke Lee <leeluke77(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Friday, April 11, 2008 10:15:51 AM Subject: Re: OpenLDAP 2.3 Configure Error On Thu, 2008-04-10 at 17:50 -0700, Luke Lee wrote: > Hi, > > I'm building a custom OpenLDAP 2.3 but failed at the configure stage > with the following error messages: > checking openssl/ssl.h usability... no > checking openssl/ssl.h presence... no > checking for openssl/ssl.h... no > configure: error: Could not locate TLS/SSL package > > I've installed OpenSSL at the default /usr/local/ssl localtion with > threads, shared, and zlib support. > > In the configure log, the ssl.h was not found. A few lines of the log > are attached below: > > configure:18067: cc -E -I/usr/local/include > -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include > -I/usr/local/ssl/include/openssl conftest.c > configure:18073: $? = 0 > configure:18093: result: yes > configure:18128: checking for sys/un.h > configure:18135: result: yes > configure:19451: checking openssl/ssl.h usability > configure:19463: cc -c -g -O2 -I/usr/local/include > -I/usr/local/BerkeleyDB.4.6/include -I/usr/local/krb5-1.6.3/include > -I/usr/local/ssl/include/openssl conftest.c >&5 > conftest.c:127:25: openssl/ssl.h: No such file or directory > configure:19469: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "" > | #define PACKAGE_TARNAME "" > | #define PACKAGE_VERSION "" > | #define PACKAGE_STRING "" > | #define PACKAGE_BUGREPORT "" > | #define OPENLDAP_PACKAGE "OpenLDAP" > > I have the required include and libs found in the env: > LDFLAGS=-L/usr/local/lib -L/usr/local/BerkeleyDB.4.6/lib > -L/usr/local/krb5-1.6.3/lib -L/usr/local/ssl/lib > CPPFLAGS=-I/usr/local/include -I/usr/local/BerkeleyDB.4.6/include > -I/usr/local/krb5-1.6.3/include -I/usr/local/ssl/include/openssl Your last include is the problem, it should be: -I/usr/local/ssl/include \Tommy > > Can anyone please help resolve this problem? Thanks! > > Luke Lee > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

3 2

back-sql question: iodbc or unixodbc
by Tommy Ho 11 Apr '08

11 Apr '08

Hi, I'm trying to get openLDAP 2.4.8 to work with postgreSQL 8.1.8. Does it matter which odbc driver manager I use? In http://www.openldap.org/faq/data/cache/978.html, under "How To Use It", it specifies to setup unixODBC while in http://www.samse.fr/GPL/ldap_pg/HOWTO/index.html, it says to use iodbc. I actually installed iodbc 3.52.6 and psqlodbc 8.03.0100 but am getting into a pthread mutex lock when backsql_load_schema_map() is trying to send the query "SELECT id, name, keytbl, keycol, create_proc, delete_proc, expect_return FROM ldap_oc_mappings" to postgres. From attaching gdb, the lock is happening SQLAllocStmt where is it is recursively being called from SQLAllocStmt_internal(). If others have found success getting openLDAP working with postgres, could you please share your expertise? Let me know if I can provide additional data, like the configure options and other setup/version info. Thanks, \Tommy

2 4

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2008